Cyber Resilience

CVE-2023-41265

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 29 August 2023

Published
29 August 2023
Modified
31 October 2025
KEV Added
07 December 2023
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.9241 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41265 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Qlik Qlik Sense. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-41265 is an HTTP request tunneling vulnerability affecting Qlik Sense Enterprise for Windows in the May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier releases. The flaw, tracked under CWE-444, permits an attacker to craft raw HTTP requests that tunnel through the frontend and are executed by the backend repository application server.

A remote attacker with low privileges can exploit the issue over the network without user interaction to elevate privileges, achieving high impact on confidentiality and integrity with changed scope. The vulnerability carries a CVSS 3.1 base score of 9.6.

Qlik has published critical security fixes addressing the issue and states that the vulnerability is resolved in the August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13 releases; the associated advisories and release notes are available on the Qlik Community site. The CVE is also listed in CISA’s Known Exploited Vulnerabilities catalog.

The EPSS score has reached a peak of 0.9252 with a current value of 0.9241, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows…

more

a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

CWE(s)
KEV Date Added
07 December 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qlik
qlik sense
august_2022, february_2023, may_2023, november_2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that close the HTTP request tunneling flaw in Qlik Sense.

prevent

Enforces information flow rules that block tunneled HTTP requests from reaching the backend repository server.

prevent

Requires validation of HTTP request syntax and structure to reject malformed or tunneled requests before backend execution.

References