Executive Summary
A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE).
This issue was responsibly disclosed to Qlik and no reports of it being maliciously exploited have been received.
Affected Software
All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
- February 2024 Patch 3
- November 2023 Patch 8
- August 2023 Patch 13
- May 2023 Patch 15
- February 2023 Patch 13
- November 2022 Patch 13
- August 2022 Patch 16
- May 2022 Patch 17
Severity Rating
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates this severity as high.
Vulnerability Details
CVE-2024-36077(QB-26216) Privilege escalation for authenticated/anonymous user
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 8.8 (High)
Due to improper input validation, a remote attacker with existing privileges is able to elevate them to the internal system role, which in turns allows them to execute commands on the server.
Resolution
Recommendation
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- May 2024 Initial Release
- February 2024 Patch 4
- November 2023 Patch 9
- August 2023 Patch 14
- May 2023 Patch 16
- February 2023 Patch 14
- November 2022 Patch 14
- August 2022 Patch 17
- May 2022 Patch 18
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
Credit
This issue was identified and responsibly reported to Qlik by Daniel Zajork.
Edited 20th of May 2024: Added recently assigned CVE number.