A number of security issues in Qlik GeoAnalytics Server have been identified and patched. If successfully exploited, these issues could lead to unauthorized information disclosure from the server running GeoAnalytics or unauthorized client-side code running in the context of users.
These issues were found as part of the Qlik secure engineering program and no reports of them being exploited have been received.
All Qlik GeoAnalytics server versions prior to these releases are impacted:
May 2022 SR1
February 2022 SR1
November 2021 SR4
May 2021 SR3
February 2021 SR3
November 2020 SR3
September 2020 SR3
June 2020 SR3
Three vulnerabilities are rated as high due to the possibility of information disclosure impacting the server running GeoAnalytics. One is rated as medium as it allows client-side script injection. See below for the scoring breakdown.
QB-10651 - Path traversal vulnerability in GeoAnalytics Server Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)
Due to improper validation of user-supplied input, a malicious user may be able access files on the server that they should not have access to.
QB-10518 - Server Side Request Forgery (SSRF) in Maps Severity: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N (7.6 High)
Due to improper validation of user-supplied input, a user may be able access resources within a network in the context of the service account running the GeoAnalytics service.