Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
amarvilass
Contributor III
Contributor III
‎2024-05-09 02:51 AM

Postgres vulnerability CVE-2024-4215 & CVE-2024-4216

Hi All,

We are currently on May 2023 Patch10 version with Postgres12.

Understand from our security team that there are the below two vulnerabilities for Postgres

 

  1. Cross-Site Scripting Vulnerability (CVE-2024-4216)

This vulnerability exists in pgAdmin, specifically inside the /settings/store API response json payload. Exploiting this vulnerability could allow a threat actor to execute malicious script on the client end and steal sensitive cookies.

 

  1. Multi-Factor Authentication Bypass (CVE-2024-4215)

This vulnerability affects pgAdmin, which could allow a threat actor to bypass multi-factor authentication on affected versions.

 

Is anyone aware if it affect Qlik Sense enterprise on windows?

 

Thanks & Regards

Amar Shedage

Labels (1)
Labels
554 Views
4 Replies
David_Friend
Support
Support
‎2024-05-09 09:12 AM

@amarvilass what specific version of Postgres are you using and is it bundled/unbundled?

512 Views
0 Likes
amarvilass
Contributor III
Contributor III
‎2024-05-11 11:14 AM
Author

Hi @David_Friend 

 

It is the bundled version postgres 12.5 that comes with default with the old version Feb 2022 version.

 

Thanks & Regards

Amar

469 Views
0 Likes
Maria_Halley
Support
Support
‎2024-05-14 03:56 AM

@amarvilass 

It looks like this vulnerability only affects PgAdmin. PgAdmin is not installed by Qlik. It is only used if you do changes in the database. 

405 Views
0 Likes
amarvilass
Contributor III
Contributor III
‎2024-05-14 05:39 AM
Author

Thanks @Maria_Halley 

The reason I was checking this is to resolve an issue with Qlik due to a custom properties being duplicated and injected multiple times after Qlik upgrade. This issue causes the jobs to fail even though the status reflect as successful. The job failure is causing the AD sync job to fail and not add new users. The solution to this lies in the below link

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-on-premise-reloads-fail-with-Warn...

The solution proposed from Qlik needs the PgAdmin to be used to remove the duplicate properties. Will you be able to suggest if this will cause any issue?

Thanks & Regards

Amar

 

 

  

399 Views
0 Likes