CVE-2023-41266
Published: 29 August 2023
Summary
CVE-2023-41266 is a high-severity Path Traversal (CWE-22) vulnerability in Qlik Qlik Sense. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
A path traversal vulnerability exists in Qlik Sense Enterprise for Windows in versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier. The flaw, tracked as CWE-22, permits an unauthenticated remote attacker to generate an anonymous session and issue HTTP requests against otherwise unauthorized endpoints, carrying a CVSS 3.1 score of 8.2.
An unauthenticated attacker can exploit the issue over the network without user interaction to obtain a session token and reach internal resources that should be restricted, resulting in high confidentiality impact and limited integrity exposure.
Vendor advisories from Qlik direct customers to apply the fixes released in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13; the same updates are referenced in the associated release notes.
The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and its EPSS score has reached a peak of 0.9429 with a current value of 0.9422, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45783
Vulnerability details
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an…
more
unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
- CWE(s)
- KEV Date Added
- 07 December 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that close the path-traversal flaw allowing anonymous session creation.
Enforces approved authorizations on HTTP endpoints so that an attacker cannot reach restricted resources even after obtaining an anonymous session via path traversal.
Requires validation of user-supplied input (file paths) to block the path-traversal sequences that produce unauthorized anonymous sessions.