CVE-2023-41265: 
Qlik Sense vulnerability analysis and mitigation

An HTTP Request Tunneling vulnerability (CVE-2023-41265) was discovered in Qlik Sense Enterprise for Windows affecting versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier. The vulnerability was identified and responsibly reported by Adam Crosser and Thomas Hendrickson of Praetorian (Praetorian Blog, Vendor Advisory).

The vulnerability allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request, enabling them to send requests that get executed by the backend server hosting the repository application. The vulnerability received a CVSS v3.1 score of 9.9 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) (NVD).

If successfully exploited, this vulnerability allows attackers to achieve unauthenticated remote code execution on the affected systems. The vulnerability can be combined with CVE-2023-41266 to compromise the server running the Qlik Sense software (Vendor Advisory).

The vulnerability is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13. Organizations are strongly advised to upgrade to these patched versions. A subsequent fix for a bypass of the original patch was also released under CVE-2023-48365 (Praetorian Blog).

Security researchers from Praetorian discovered that the initial patch for CVE-2023-41265 could be bypassed, leading to the issuance of CVE-2023-48365. The new patch implements a more robust filtering mechanism that is less prone to CL.TE and TE.CL request tunneling attacks (Praetorian Blog).