A critical security vulnerability has been discovered in Qlik Sense Enterprise for Windows, potentially allowing attackers to execute remote code on affected systems.
The issue, identified during internal security testing by Qlik, affects all versions of the software prior to and including specific releases up to May 2024 Patch 9.
The vulnerability, rated as “High” severity using the CVSS V3.1 scoring system, consists of two main issues:-
- Remote Code Execution (RCE) via Connectors: Unprivileged users with network access could create connection objects that trigger the execution of arbitrary EXE files on Qlik Sense Enterprise for Windows servers.
- Broken Access Control (BAC): Unprivileged users with network access to Qlik Sense for Windows installations may be able to execute remote commands, potentially causing high availability damages and posing significant integrity and confidentiality risks.
The vulnerabilities have been assigned a CVSS score of 8.8 and 7.5, respectively, indicating a high level of risk.
Security analysts at Qlik discovered that if successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Affected Versions
The vulnerability affects all versions of Qlik Sense Enterprise for Windows prior to and including:-
- May 2024 Patch 9
- February 2024 Patch 13
- November 2023 Patch 15
- August 2023 Patch 15
- May 2023 Patch 17
- February 2023 Patch 14
Qlik has released patches to address these vulnerabilities. Customers are strongly advised to upgrade their Qlik Sense Enterprise for Windows installations to the latest patched versions, which include:-
- November 2024 Initial Release
- May 2024 Patch 10
- February 2024 Patch 14
- November 2023 Patch 16
- August 2023 Patch 16
- May 2023 Patch 18
- February 2023 Patch 15
Additionally, a workaround is available to address complications affecting extension and invalid visualization errors. This involves modifying the Repository.exe.config file and restarting specific Qlik Sense services.
While no reports of malicious exploitation have been received, organizations using Qlik Sense Enterprise for Windows are urged to take immediate action to protect their systems and data.
Besides this, timely patching and following security best practices remain crucial in maintaining a robust defense against potential cyber threats.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses