Qlik Sense Enterprise BI platform for Windows carry critical vulnerabilities

Qlik Sense Enterprise, a BI anddata analytics platform has been reported to have two critical security vulnerabilities in their Windows version.

The potential consequences of successful exploitation will expose the product to server compromise and unauthenticated remote code execution:

• CVE-2023-41265 (CVSS:3 score 8.2) exposes a path traversal flaw. Rooted in the inadequate validation of user inputs, this vulnerability enables unauthenticated remote attackers to initiate anonymous sessions, enabling unauthorized HTTP requests to various endpoints.
• CVE-2023-41266 (CVSS:3.1 score 9.6) exposes a critical HTTP tunneling vulnerability. The weakness originates from insufficient HTTP Header validation, enabling attackers to exploit gaps and elevate privileges. Tunneling HTTP requests is a method where one protocol, like HTTP, is used to carry data from another protocol, often to bypass security restrictions. In the context of the Qlik Sense Enterprise vulnerability, it means attackers could use HTTP requests to transmit unauthorized data or commands to exploit a system's weaknesses, potentially gaining unauthorized access.

The risk extends to the following versions of Qlik Sense Enterprise for Windows:

• May 2023 Patch 3
• February 2023 Patch 7
• November 2022 Patch 10
• August 2022 Patch 12

To address these vulnerabilities, Qlik has released patches, urging customers to expedite the upgrade of Qlik Sense Enterprise for Windows to patched versions:

• August 2023 Initial Release
• May 2023 Patch 4
• February 2023 Patch 8
• November 2022 Patch 11
• August 2022 Patch 13

Qlik has published a ecurity advisory, accessible on their website, providing comprehensive details about the vulnerabilities and associated risks. Customers are strongly advised to migrate to patched software versions promptly, with the patches available for download on the Qlik website.