Qlik Sense for Windows, a widely used business intelligence software, has recently been found to have critical vulnerabilities that pose significant risks to users. The flaws, discovered during Qlik’s internal security assessments, could allow attackers to execute remote code on affected servers. If exploited, these vulnerabilities could lead to unauthorized access, manipulation of data, and disruption of services. The vulnerabilities primarily affect Qlik Sense Enterprise for Windows versions from May 2023 to May 2024, underscoring the urgency for users to act.
The vulnerabilities include a high-severity remote code execution (RCE) risk associated with connectors, identified as CVE-pending (QB-29918, QB-29750). Attackers could exploit these flaws by creating connection objects that trigger the execution of arbitrary executable files. Additionally, several broken access control (BAC) issues, identified as CVE-pending (QB-29586, QB-29864, QB-29482, QB-29802), allow unauthorized users to remotely execute commands, which could jeopardize the system’s confidentiality, integrity, and availability.
Fortunately, Qlik has addressed these vulnerabilities by releasing security patches that resolve the issues and ensure system integrity. The recommended updates include several fixed versions, such as November 2024 Initial Release, May 2024 Patch 10, and February 2024 Patch 14. Users who are running vulnerable versions of the software are strongly encouraged to update immediately. These patches protect against potential exploits and maintain the security of Qlik Sense Enterprise for Windows systems.
In addition to the patches, Qlik has provided a workaround for those facing extension and visualization errors. This temporary solution involves modifying the Repository configuration file and can be applied either before or after installing the updates. As the risk of exploitation remains, users should prioritize applying the updates and reach out to Qlik Support if assistance is required. Prompt action is essential to ensure that Qlik Sense Enterprise servers remain secure from potential threats.
Reference:
