CVE-2024-36077: Remote Code Execution Threatens Qlik Sense Users
Qlik, a prominent player in the data analytics space, has issued a critical security advisory warning users of a high-risk vulnerability (CVE-2024-36077) in their Qlik Sense Enterprise for Windows platform. With a CVSS score of 8.8, this vulnerability could allow attackers to escalate privileges and potentially execute arbitrary code on affected servers, posing a significant threat to data integrity and confidentiality.
The root of the problem lies in improper input validation within the Qlik Sense Enterprise software. A remote attacker with even minimal access could exploit this flaw to elevate their privileges to the internal system role, granting them the ability to execute commands on the underlying server. This could lead to a complete compromise of the system, allowing attackers to steal sensitive data, install malware, or disrupt operations.
“A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE),” reads the security advisory.
The CVE-2024-36077 vulnerability impacts all versions of Qlik Sense Enterprise for Windows released prior to May 2024, including various patch levels from February 2022 to February 2024. The vulnerability was responsibly reported by cybersecurity researcher Daniel Zajork. Qlik has confirmed that there have been no reports of this vulnerability being maliciously exploited.
Qlik strongly recommends that all customers using Qlik Sense Enterprise for Windows immediately upgrade to a patched version. Patches are available for a range of releases, including the May 2024 Initial Release and subsequent patch updates for older versions.
Users can download the latest patched versions of Qlik Sense Enterprise for Windows from the official Qlik Download page. Detailed instructions on how to apply the patches are also available on the Qlik support website.
