Main Vulnerability Database SB2023113053

SB2023113053 - HTTP request smuggling in Qlik Sense Enterprise for Windows

Published: November 30, 2023

Security Bulletin ID SB2023113053

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-48365)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote user to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests caused by an incomplete fix for #VU80193 (CVE-2023-41265). A remote authenticated user can elevate their privileges within the application by tunneling HTTP requests.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510