Skip to main content
Announcements
Qlik Introduces a New Era of Visualization! READ ALL ABOUT IT

High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077)

100% helpful (7/7)
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077)

Last Update:

May 20, 2024 2:56:39 AM

Updated By:

Sonja_Bauernfeind

Created date:

May 15, 2024 5:14:54 AM

Executive Summary 

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE). 

This issue was responsibly disclosed to Qlik and no reports of it being maliciously exploited have been received. 

 

Affected Software 

All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: 

  • February 2024 Patch 3 
  • November 2023 Patch 8 
  • August 2023 Patch 13 
  • May 2023 Patch 15 
  • February 2023 Patch 13 
  • November 2022 Patch 13 
  • August 2022 Patch 16 
  • May 2022 Patch 17

Severity Rating 

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates this severity as high.  

Vulnerability Details

CVE-2024-36077(QB-26216) Privilege escalation for authenticated/anonymous user 

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 8.8 (High) 

Due to improper input validation, a remote attacker with existing privileges is able to elevate them to the internal system role, which in turns allows them to execute commands on the server.  

Resolution 

Recommendation 

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions: 

  • May 2024 Initial Release 
  • February 2024 Patch 4 
  • November 2023 Patch 9 
  • August 2023 Patch 14 
  • May 2023 Patch 16 
  • February 2023 Patch 14 
  • November 2022 Patch 14 
  • August 2022 Patch 17 
  • May 2022 Patch 18 

 

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

Credit

This issue was identified and responsibly reported to Qlik by Daniel Zajork. 

 

Edited 20th of May 2024: Added recently assigned CVE number.

 

Labels (1)
Comments
Sonja_Bauernfeind
Digital Support
Digital Support

For discussions and questions, comment directly on the related blog post.  We will be monitoring it. Thank you!

Contributors
Version history
Last update:
Monday
Updated by: