As part of vulnerability testing it is found that API is returning version number and mode and server info which is causing information leakage and can be used by for malicious usage and for hacking the system.
One of the example where information is leaked by api is api/hub/about where it returns the {"links":{"self":"/about/"},"data":[{"version":{"full":"1.10.7","major":"1","minor":"10","patch":"7"},"mode":"enterprise"}]}. Such information is treated as information leakage and can be used to take advantage of the system.
Such information should not be return by Qlik API and should be removed in future release.
Below are the details shared by our security team on what are the implications and recommendation.
Implications:
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
Recommendations:
Specify data output such that no sensitive data is sent. Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere.
References