CVE-2023-48365 is a vulnerability in Qlik Sense
Published on November 15, 2023

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Qlik Sense HTTP Tunneling Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.

The following remediation steps are recommended / required by February 3, 2025: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-48365 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 3.1 out of four. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2023-48365 has been classified to as a HTTP Request Smuggling vulnerability or weakness.

Products Associated with CVE-2023-48365

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-48365 are published in these products:

Qlik Sense

What versions of Qlik Sense are vulnerable to CVE-2023-48365?

Qlik Sense Version august_2022 patch_12 windows
Qlik Sense Version august_2022 patch_11 windows
Qlik Sense Version august_2022 patch_10 windows
Qlik Sense Version august_2022 patch_9 windows
Qlik Sense Version august_2022 patch_8 windows
Qlik Sense Version august_2022 patch_7 windows
Qlik Sense Version august_2022 patch_6 windows
Qlik Sense Version august_2022 patch_5 windows
Qlik Sense Version august_2022 patch_4 windows
Qlik Sense Version august_2022 patch_3 windows
Qlik Sense Version august_2022 patch_2 windows
Qlik Sense Version august_2022 patch_1 windows
Qlik Sense Version august_2022 - windows
Qlik Sense Version november_2022 patch_10 windows
Qlik Sense Version november_2022 patch_9 windows
Qlik Sense Version november_2022 patch_8 windows
Qlik Sense Version november_2022 patch_7 windows
Qlik Sense Version november_2022 patch_6 windows
Qlik Sense Version november_2022 patch_5 windows
Qlik Sense Version november_2022 patch_4 windows
Qlik Sense Version november_2022 patch_3 windows
Qlik Sense Version november_2022 patch_2 windows
Qlik Sense Version november_2022 patch_1 windows
Qlik Sense Version november_2022 - windows
Qlik Sense Version february_2023 patch_7 windows
Qlik Sense Version february_2023 patch_6 windows
Qlik Sense Version february_2023 patch_5 windows
Qlik Sense Version february_2023 patch_4 windows
Qlik Sense Version february_2023 patch_3 windows
Qlik Sense Version february_2023 patch_2 windows
Qlik Sense Version february_2023 patch_1 windows
Qlik Sense Version february_2023 - windows
Qlik Sense Version may_2023 patch_2 windows
Qlik Sense Version may_2023 patch_1 windows
Qlik Sense Version may_2023 - windows
Qlik Sense Version november_2021 patch_1 windows
Qlik Sense Version november_2021 patch_2 windows
Qlik Sense Version november_2021 patch_3 windows
Qlik Sense Version november_2021 patch_4 windows
Qlik Sense Version november_2021 patch_5 windows
Qlik Sense Version november_2021 patch_6 windows
Qlik Sense Version november_2021 patch_7 windows
Qlik Sense Version november_2021 patch_8 windows
Qlik Sense Version november_2021 patch_9 windows
Qlik Sense Version november_2021 patch_10 windows
Qlik Sense Version november_2021 patch_11 windows
Qlik Sense Version november_2021 patch_12 windows
Qlik Sense Version november_2021 patch_13 windows
Qlik Sense Version november_2021 patch_14 windows
Qlik Sense Version november_2021 patch_15 windows
Qlik Sense Version november_2021 patch_16 windows
Qlik Sense Version february_2022 patch_1 windows
Qlik Sense Version february_2022 patch_3 windows
Qlik Sense Version february_2022 patch_2 windows
Qlik Sense Version february_2022 patch_4 windows
Qlik Sense Version february_2022 patch_5 windows
Qlik Sense Version february_2022 patch_6 windows
Qlik Sense Version february_2022 patch_7 windows
Qlik Sense Version february_2022 patch_8 windows
Qlik Sense Version february_2022 patch_9 windows
Qlik Sense Version february_2022 patch_10 windows
Qlik Sense Version february_2022 patch_11 windows
Qlik Sense Version february_2022 patch_12 windows
Qlik Sense Version february_2022 patch_13 windows
Qlik Sense Version february_2022 patch_14 windows
Qlik Sense Version may_2022 patch_1 windows
Qlik Sense Version may_2022 patch_2 windows
Qlik Sense Version may_2022 patch_3 windows
Qlik Sense Version may_2022 patch_4 windows
Qlik Sense Version may_2022 patch_5 windows
Qlik Sense Version may_2022 patch_6 windows
Qlik Sense Version may_2022 patch_7 windows
Qlik Sense Version may_2022 patch_8 windows
Qlik Sense Version may_2022 patch_9 windows
Qlik Sense Version may_2022 patch_10 windows
Qlik Sense Version may_2022 patch_11 windows
Qlik Sense Version may_2022 patch_12 windows
Qlik Sense Version may_2022 patch_13 windows
Qlik Sense Version may_2022 patch_14 windows
Qlik Sense Version may_2022 patch_15 windows
Qlik Sense Version august_2022 patch_13 windows
Qlik Sense Version november_2022 patch_11 windows
Qlik Sense Version february_2023 patch_8 windows
Qlik Sense Version february_2023 patch_9 windows
Qlik Sense Version may_2023 patch_3 windows
Qlik Sense Version may_2023 patch_4 windows
Qlik Sense Version may_2023 patch_5 windows
Qlik Sense Version august_2023 patch_1 windows
Qlik Sense Version august_2023 - windows
Qlik Sense Version may_2022 - windows
Qlik Sense Version february_2022 - windows
Qlik Sense Version november_2021 - windows