Skip to main content
[WEBINAR] Accenture & Qlik: Accelerating BI Migration to SaaS with Qlik on Dec 13th: REGISTER

SB: Potential security risk for Command task name and permissions.

No ratings
Showing results for 
Search instead for 
Did you mean: 
Former Employee
Former Employee

SB: Potential security risk for Command task name and permissions.

Last Update:

Aug 28, 2020 3:54:39 AM

Updated By:


Affected versions: all Compose versions for both Compose for Data Warehouses and Compose for Data Lakes.

Vulnerability description: A malicious Compose authorized user with Operator, Designer or Administrator roles can leverage this vulnerability for remote code execution of arbitrary server code on the Compose Windows server under the credentials the Compose service is running under. This is done using the command task feature in Compose. 


Patch availability: Patches that address this vulnerability are available on the download site for these supported versions:

Compose for Data Warehouses:

  • Version 3.1: SP20: SR1
  • Version 6.5: SP11: SR3
  • Version 6.6: SP10: SR4

Compose for Data Lakes:

  • Version 6.5: SP08: SR2
  • Version 6.6: SP06: SR3

Note that, following this patch installation, users will need Designer or Administrator roles in order to create or edit Compose command tasks. Users with Operator role will not have this ability anymore.

If still running Compose 6.4 (either products) please upgrade using one of the provided patches. If this is not possible, please open a support ticket requesting a patch for 6.4.

Labels (1)
Version history
Last update:
‎2020-08-28 06:54 AM
Updated by: