CVE-2023-48365
Published: 15 November 2023
Summary
CVE-2023-48365 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Qlik Qlik Sense. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Qlik Sense Enterprise for Windows versions prior to the August 2023 Patch 2 are affected by CVE-2023-48365, a high-severity flaw that permits unauthenticated remote code execution. The root cause is improper validation of HTTP headers that allows request tunneling, and the issue stems from an incomplete remediation of the earlier CVE-2023-41265. The vulnerability carries a CVSS score of 9.6 and is tracked under CWE-444.
An attacker with network access can exploit the header-validation weakness to elevate privileges and forward arbitrary HTTP requests to the backend repository server, achieving remote code execution on that host without requiring authentication.
Vendor guidance published by Qlik directs customers to apply one of the listed fixed releases, specifically August 2023 Patch 2 or the corresponding back-ported patches for earlier branches. The flaw is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming in-the-wild exploitation.
The associated EPSS score has reached a peak of 0.6423 with a current value of 0.5622, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-52419
Vulnerability details
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to…
more
execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
- CWE(s)
- KEV Date Added
- 13 January 2025
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP headers and other inputs, which the CVE shows was missing and allowed request tunneling to the backend repository.
Enforces that only authenticated and authorized subjects may perform actions on the repository application, blocking the unauthenticated privilege escalation path.
Mandates timely application of vendor patches (August 2023 Patch 2 and equivalents) that close the incomplete fix for CVE-2023-41265.