Vulnerability in Qlik Sense Enterprise

Details of the security vulnerabilities

The two vulnerabilities are as CVE-2023-41266 and CVE-2023-41265 known. All previous versions of Qlik Sense Enterprise for Windows are affected:

• May 2023 Patch 3
• February 2023 Patch 7
• Novembre 2022 patch 10
• August 2022 Patch 12

and previous ones. Qlik Cloud or QlikView are NOT affected.

UPDATE!!! There was another critical security issue (as of 09.2023). All important information can be found on our current page: Critical vulnerability Qlik Sense Enterprise 09/2023.

Recommended steps to address Qlik Sense security issues

There is no workarounds for these security issues. Therefore, the only recommended action is to upgrade to one of the latest versions that already include the required fixes:

• August 2023 initial release
• May 2023 Patch 4
• February 2023 Patch 8
• Novembre 2022 patch 11
• August 2022 Patch 13

All authentication methods are affected by these vulnerabilities.

HTTP and HTTPS
The vulnerabilities affect both HTTP and HTTPS. Even when HTTP is disabled, the environment remains vulnerable. The attacks are independent of whether the HTTP communication is encrypted or not.

As a result, third parties can gain unauthorized access to the Qlik system and make requests to unapproved endpoints.

➡ The vulnerabilities were rated as “high” and “critical” by Qlik. In addition, the manufacturer does not recommend exposing the proxy to the public Internet in order to reduce the attack surface.

How to protect your Qlik Sense Enterprise environment

Identifying these vulnerabilities in Qlik Sense Enterprise for Windows is a serious concern that requires immediate action. Since there are no workarounds, upgrading is the only way to protect yourself from potential attacks. It's important to install the latest security updates and patches to ensure the integrity of your data and systems.

Visit the official Qlik Community page for more information about Vulnerability in Qlik Sense.