Again: Critical security vulnerability in Qlik Sense

How to make Qlik Sense safe with an update (September 2023)

Only last month (August 2023) there were two security vulnerabilities in Qlik Sense - now another one has just been announced. This one was also classified as "critical".

If you've just updated, you're already in the flow: once again, it's imperative to update to a secure version; these patches have already been made available for download by Qlik.

In this article we explain the vulnerability and what you need to do to fix it.

Which versions are affected?

Only Qlik Sense Enterprise for Windows is affected, i.e. the locally installed version of Qlik Sense:

Please check which version your Qlik Sense Server for Windows is running. All versions of Qlik Sense Enterprise for Windows before and including these versions are affected:

  • August 2023 Patch 1
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 10
  • August 2022 Patch 12
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16

If you are using one of these versions, or an older version, you should definitely update.

The message from Qlik

This is a copy of the official Qlik message:

„A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE). This resolves an incomplete fix for CVE-2023-41265.
This issue was identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian. identifiziert und an Qlik gemeldet. Es sind keine Berichte über deren Ausnutzung eingegangen.
​Affected Software
All versions of Qlik Sense Enterprise for Windows prior to and including these are impacted: 
- August 2023 Patch 1
- May 2023 Patch 4
- February 2023 Patch 8
- November 2022 Patch 10
- August 2022 Patch 12
- May 2022 Patch 15
- February 2022 Patch 14
- November 2021 Patch 16
Severity Rating  
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvssQlik rates this severity as critical. 
Vulnerability Details

CVE-pending (QB-21683) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical)
Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application. This resolves an incomplete fix for CVE-2023-41265.
Recommendation 
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- August 2023 SR2
- May 2023 SR6 
- February 2023 SR10 
- November 2022 SR12 
- August 2022 SR14
- May 2022 SR16
- February 2022 SR15
- November 2022 SR17
These patches include the fixes for previous issues CVE-2023-41266 and CVE-2023-41265 Link
All Qlik software can be downloaded from our official Qlik Download Site (customer login required).“

What do you have to do now?

If your Qlik Sense Enterprise for Windows is affected, you need to update your Qlik Sense Server as soon as possible - because by now, every hacker knows about this vulnerability.

If you have one of the following versions of Qlik Sense Enterprise for Windows installed, everything is fine:

  • August 2023 SR2
  • May 2023 SR6 
  • February 2023 SR10 
  • November 2022 SR12 
  • August 2022 SR14
  • May 2022 SR16
  • February 2022 SR15
  • November 2021 SR17

If a minor version is used, an update should definitely be done in a timely manner!

Example: Version May 2023 SR4 is safe. If your Qlik Sense Server is running e.g. May 2023 SR3, it is imperative to update to May 2023 SR4 or August 2023 IR (Initial Release).

Please note that to upgrade to a new release, you must always install the IR (Initial Release) first, and then the SR (Service Release)..

Example: On your Qlik Sense Server you have installed February 2023 SR8 and would like to update to May 2023 SR6. Then you have to install May 2023 IR first and then May 2023 SR6. 

We can help you!

​We love Qlik and are happy to help you review your Qlik Sense environment and do the update.

Just drop us a line and we'll get back to you as soon as possible:

E-Mail-Adressen durch ein Komma trennen.


Calling is also a nice thing: +49 40 60946300

Or: You can also schedule a free Online Meeting .

Again: Critical security vulnerability in Qlik Sense
RSG Report Solution GmbH, Daniel Blank 21 September 2023
Share this post
Critical security vulnerability in Qlik Sense
How to make Qlik Sense safe with an update