Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Jul 5, 2022 8:48:12 AM
Jun 23, 2022 1:05:29 PM
A number of security issues in Qlik GeoAnalytics Server have been identified and patched. If successfully exploited, these issues could lead to unauthorized information disclosure from the server running GeoAnalytics or unauthorized client-side code running in the context of users.
These issues were found as part of the Qlik secure engineering program and no reports of them being exploited have been received.
All Qlik GeoAnalytics server versions prior to these releases are impacted:
Three vulnerabilities are rated as high due to the possibility of information disclosure impacting the server running GeoAnalytics. One is rated as medium as it allows client-side script injection. See below for the scoring breakdown.
QB-10651 - Path traversal vulnerability in GeoAnalytics Server
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)
Due to improper validation of user-supplied input, a malicious user may be able access files on the server that they should not have access to.
QB-10518 - Server Side Request Forgery (SSRF) in Maps
Severity: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N (7.6 High)
Due to improper validation of user-supplied input, a user may be able access resources within a network in the context of the service account running the GeoAnalytics service.
QB-10519 - Javascript Injection. Maps (High).
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (7.5 High)
Due to improper validation of user-supplied input, a malicious user may be able inject client-side scripts that are run in the context of another user.
QB-10517 - Reflected Cross-site Scripting (XSS)
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N (5.8 Medium)
Due to improper validation of user-supplied input, an attacker may be able to craft a URL, which if another user visits, causes client-side scripts to be run in the context of that user.
It is recommended to upgrade Qlik GeoAnalytics server to a version containing fixes. The first versions with the fixes are:
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
Can you please elaborate on the vulnerable versions as the wording here a bit ambiguous, when you say “versions prior to these releases”
for November 2021 SR4, does that mean November 2021 SR1-3 are all vulnerable?
Hello @AdamJohnson
Versions prior to them will be affected, yes. So SR4 indicates prior SRs are affected (initial release to SR3, etc).
All the best,
Sonja