
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vulnerabilities on libcurl.dll
During our regular scans we found some vulnerabilities on libcurl.dll (cve mentioned below), we are using the qliksense version - 14.78.23 (August 2022 patch 16).
The recommendation is to upgrade to libcurl 8.4.0. Please suggest if there are any patches available for upgrading libcurl.
CVE-2023-38545 (Heap Buffer Overflow)
CVE-2023-38546 (Cookie Injection)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Sangeeta This is not officially found by Qlik what I see, https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enter...
If you feel anything, please reach to your success engineer from Qlik.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here: CVE-2023-38545, Qlik Sense Enterprise on Windows February 2024 14.173.3
Scan found affected libcurl.dll versions in
C:\Program Files\Common Files\Qlik\Custom Data\QvOdbcConnectorPackage\...
Search of Qlik Community did not produce any references to CVE-2023-38545.
What would be a solution here?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sangeeta,
I don’t think Qlik will provide a patch since release August 2022 is no longer supported since August 2024.
I think you need to update your Qlik Environment. The libcurl.dll ist stored in some places on Windows, Qlik and Postgres related paths (search on your filesystem and check the file properties “Details”- Version).
On my VM for testing I have May 2024 and PostgrSQL 14 and none of the different libcurl.dlls are lower than 8.4.0 …
Best reagrds
Thomas

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an old post, we moved to May2024 patch 11 already and now there are new vulnerabilities on 8.4.0 which is fixed in version 8.9.1 so we are waiting for new patch.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another vulnerability on libcurl https://curl.se/docs/CVE-2024-7264.html
This is being picked up on our May2024 system :
\QvOdbcConnectorPackage\presto\lib\LibCurl64.DllA\libcurl.dll
Installed version : 8.1.2.0 Fixed version: 8.9.1
Can someone check which version of libcurl.dll is shipped with November 2024?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shaun_lombard the connector driver is compiled with OpenSSL and as such not vulnerable to CVE-2024-7264
only those models are
This parser bug was actually introduced in curl 7.32.0 but was then used only by the GSKit TLS backend which is no longer supported. The functionality was later brought to other TLS backends in different versions, so this bug affects curl built with different backends starting in different versions:
