Qlik Sense Enterprise Auth Bypass (CVE-2023-41266)
Description
Qlik Sense Enterprise for Windows contains an authentication bypass vulnerability (CVE-2023-41266) that allows remote attackers to circumvent authentication controls using specially crafted HTTP request paths. By manipulating the request path structure, an attacker can obtain an anonymous session without providing valid credentials, effectively bypassing the application's authentication mechanism.
Remediation
Apply the appropriate security patches immediately based on your Qlik Sense Enterprise for Windows version:
1. Identify your current Qlik Sense version through the Qlik Management Console (QMC)
2. Download and install the corresponding patch from the official Qlik support portal:
- For May 2023 release: Apply patch 6 or later
- For February 2023 release: Apply patch 9 or later
- For November 2022 release: Apply patch 12 or later
- For August 2022 release: Apply patch 14 or later
3. Verify the patch installation by checking the version number in QMC
4. Review authentication logs for any suspicious anonymous session activity prior to patching
5. If immediate patching is not possible, implement network-level access controls to restrict access to the Qlik Sense server to trusted IP addresses only
Refer to the official Qlik security advisory for complete patch details and installation instructions.