Qlik Sense Enterprise on Windows: Information Leak in /api/about/v1/thirdParty

ToniKautto · Aug 3, 2023 2:10:54 AM

Security vulnerability scan report may refer to "System Information Leak" in the response from the About Service API end-point /api/about/v1/thirdParty.

This API returns a list of third-party software that is installed in the product. Details include information about copyright, version, licensing, and legal notices.

The disclaimer text of some third-party components may include IP address references. These references come from the third-party provider's disclaimer or open-source license details. The IP address references do not refer to details from the installed environment.

For example, an internal IP address (10.x.x.x) is referred to in the disclaimer text for the Torch Cephes Math Library. This reference is part of the library's open-source license https://github.com/deepmind/torch-cephes/blob/master/LICENSE.txt.

Resolution

Third-party software details contain disclaimer text as required for the third-party software provider.
IP references in third-party software disclaimers can be considered false-positive test results.

Qlik can not alter the third-party vendor disclaimers.

Qlik Sense Enterprise on Windows: Information Leak in /api/about/v1/thirdParty

Qlik Sense Enterprise on Windows: Information Leak in /api/about/v1/thirdParty

Resolution

Related Content

Environment

API

Security