CVE-2023-41265
Published: 29 August 2023
Summary
CVE-2023-41265 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Qlik Qlik Sense. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-41265 is an HTTP request tunneling vulnerability affecting Qlik Sense Enterprise for Windows in the May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier releases. The flaw, tracked under CWE-444, permits an attacker to craft raw HTTP requests that tunnel through the frontend and are executed by the backend repository application server.
A remote attacker with low privileges can exploit the issue over the network without user interaction to elevate privileges, achieving high impact on confidentiality and integrity with changed scope. The vulnerability carries a CVSS 3.1 base score of 9.6.
Qlik has published critical security fixes addressing the issue and states that the vulnerability is resolved in the August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13 releases; the associated advisories and release notes are available on the Qlik Community site. The CVE is also listed in CISA’s Known Exploited Vulnerabilities catalog.
The EPSS score has reached a peak of 0.9252 with a current value of 0.9241, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45782
Vulnerability details
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows…
more
a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
- CWE(s)
- KEV Date Added
- 07 December 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that close the HTTP request tunneling flaw in Qlik Sense.
Enforces information flow rules that block tunneled HTTP requests from reaching the backend repository server.
Requires validation of HTTP request syntax and structure to reject malformed or tunneled requests before backend execution.