Critical vulnerability Qlik Sense Enterprise 09/2023

Details of the new vulnerability

On September 20, Qlik released new service releases that address a newly identified vulnerability in Qlik Sense Enterprise for Windows.

Background is a Vulnerability in HTTP header. This allows unauthorized users to change their rights in the Qlik Server and thus execute queries if necessary (RCE remote code execution). This primarily concerns publicly available Qlik Sense servers (Qlik Sense Enterprise for Windows), particularly if their IP address is known.

important! Products such as Qlik Cloud and QlikView are NOT affected.

If it is absolutely necessary to publish the Qlik server outside your own organization, we recommend securing or concealing the IP address.

That is what to do now

Please update your Qlik solution if you are using a version before and including these releases:

• August 2023 patch 1
• May 2023 patch 5
• February 2023 Patch 9
• Novembre 2022 patch 11
• August 2022 Patch 13
• May 2022 Patch 15
• February 2022 Patch 14
• Novembre 2021 patch 16

The following update versions include the fixes for the issues described above:

• August 2023 patch 2
• May 2023 patch 6
• February 2023 Patch 10
• Novembre 2022 patch 12
• August 2022 Patch 14
• May 2022 Patch 16
• February 2022 Patch 15
• Novembre 2021 patch 17

The listed fixes also address CV-2023-41266 and CVE-2023-41265

In our last post Serious vulnerability in Qlik Sense Enterprise, you'll find all the information about previous security issues.

The new Qlik releases can be downloaded via the Qlik download page be downloaded.