Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-41266
CVE-2023-41266:
Qlik Sense vulnerability analysis and mitigation
Overview
A path traversal vulnerability (CVE-2023-41266) was discovered in Qlik Sense Enterprise for Windows affecting versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier. The vulnerability allows an unauthenticated remote attacker to generate an anonymous session and transmit HTTP requests to unauthorized endpoints. The issue was identified and responsibly reported by researchers from Praetorian (Praetorian Blog).
Technical details
The vulnerability stems from improper validation of user-supplied input in the Qlik Sense Enterprise application. The CVSS v3.1 base score is 8.2 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. The vulnerability allows attackers to bypass authentication requirements enforced by the proxy service by crafting requests beginning with '/resources/qmc/fonts/' and ending in '.ttf' (Praetorian Blog, Qlik Advisory).
Impact
When successfully exploited, this vulnerability allows an unauthenticated attacker to bypass security controls and access unauthorized endpoints. The impact is particularly severe when combined with CVE-2023-41265, as together they could lead to unauthenticated remote code execution and potential compromise of the server running the Qlik Sense software (Qlik Advisory).
Mitigation and workarounds
Organizations should upgrade to the fixed versions: August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13. The patches can be downloaded from the official Qlik Download page (login required). Organizations should also review proxy audit logs for potential exploitation attempts, particularly focusing on requests that begin with /resources/ and end in .ttf, .woff, .otf, or .eot with directory traversal sequences (Qlik Advisory).
Community reactions
The security community has shown significant concern about this vulnerability, particularly due to its active exploitation by ransomware groups. The issue gained additional attention when researchers discovered that the initial fix for the related CVE-2023-41265 could be bypassed, leading to the release of CVE-2023-48365 (Praetorian Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management