Critical Flaws Identified in Qlik Sense Enterprise for Windows

Qlik Sense Enterprise is a powerful business intelligence (BI) and data analytics platform that helps organizations make better decisions. However, two critical security vulnerabilities have been found in Qlik Sense Enterprise for Windows. Successful exploitation could lead to server compromises and unauthenticated remote code execution (RCE). Thankfully, vigilant researchers Adam Crosser and Thomas Hendrickson of Praetorian identified and responsibly reported these issues to Qlik, ensuring preventive measures could be put in place.

CVE-2023-41266 (QB-21220) Path Traversal in Qlik Sense Enterprise for Windows

• • Severity: High (CVSS:3.1 of 8.2)
  • Description: This flaw arises due to inappropriate validation of user inputs. As a result, an unauthenticated remote attacker can generate an anonymous session, granting them the ability to make HTTP requests to unauthorized endpoints.

CVE-2023-41265 (QB-21222) HTTP Tunneling Vulnerability in Qlik Sense Enterprise for Windows

• • Severity: Critical (CVSS:3.1 score of 9.6)
  • Description: Another weakness found stems from inadequate HTTP Header validation. This gap allows attackers to elevate privileges by tunneling HTTP requests, granting them access to send HTTP requests on the backend server, specifically targeting the repository application.

Qlik Sense Enterprise for Windows versions up to:

• May 2023 Patch 3
• February 2023 Patch 7
• November 2022 Patch 10
• August 2022 Patch 12

are all vulnerable to these security threats.

Qlik has released patches for these vulnerabilities. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing the patches as soon as possible.

The following versions of Qlik Sense Enterprise for Windows contain the patches for CVE-2023-41266 and CVE-2023-41265:

• August 2023 Initial Release
• May 2023 Patch 4
• February 2023 Patch 8
• November 2022 Patch 11
• August 2022 Patch 13

Qlik has also released a security advisory that provides more information about the vulnerabilities. The security advisory can be found on the Qlik website.

These vulnerabilities are a serious threat to organizations that use Qlik Sense Enterprise for Windows. Customers should upgrade to a patched version of the software as soon as possible. Customers can download the patches from the Qlik website.