- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265)
May 15, 2024 3:25:44 AM
Aug 29, 2023 9:14:00 AM
Executive Summary
Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).
These issues were identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian.
Qlik has received reports that this vulnerability may be being used by malicious actors. Customers should confirm they have applied the necessary patches outlined in this bulletin. If there are additional questions, customers may log a case with Qlik Support.
Affected Software
All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
- May 2023 Patch 3
- February 2023 Patch 7
- November 2022 Patch 10
- August 2022 Patch 12
Severity Rating
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates one as high severity and one as critical.
Vulnerability Details
CVE-2023-41266 (QB-21220) Path traversal in Qlik Sense Enterprise for Windows
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 High)
Due to improper validation of user supplied input, it is possible for an unauthenticated remote attacker to generate an anonymous session which allows them to perform HTTP requests to unauthorized endpoints.
CVE-2023-41265 (QB-21222) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical)
Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application.
Resolution
Recommendation
These recommendations apply at the time of writing (August 2023). For up to date information, please refer to the Qlik Security Notice and review the latest Release Notes for your Qlik Sense version. Always update to the most recent patch.
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- August 2023 Initial Release
- May 2023 Patch 4
- February 2023 Patch 8
- November 2022 Patch 11
- August 2022 Patch 13
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
For discussions and questions, comment directly on the related blog post. We will be monitoring it. Thank you!