CVE-2023-41265

{"id": "CVE-2023-41265", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.1}]}, "published": "2023-08-29T23:15:09.170", "references": [{"url": "https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13."}], "lastModified": "2023-09-08T13:59:58.123", "cisaActionDue": "2023-12-28", "cisaExploitAdd": "2023-12-07", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:-:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "41AEA1CA-D344-48DB-92D8-05D0EDC8487D"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_1:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "FC12BB7A-366F-4EE2-AABF-19E83B5B9EC7"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_10:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "5F601CFC-70D0-450B-AE49-058E6B887E15"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_11:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "17E7F947-3322-46BB-9B89-689F1B792D89"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_12:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "37AF6E89-73F0-49E8-82F4-08084A5EBE2A"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_2:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "E4C7CBBB-C6A0-460E-95DC-C1855826C7F8"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_3:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "BD491E32-270C-452B-AC1E-FB8F509B916E"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_4:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "EDE2809B-4234-443E-9E6A-6B402D258617"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_5:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "155F0D6F-2E4A-40E7-9145-7D130334466B"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_6:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "D733F495-E0EF-4F25-8532-2773415EFB8B"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_7:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "578092D7-0F52-45C1-B7E2-FC5AF86AB8ED"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_8:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "1B3164BA-0BDB-41F9-B51C-4FB0489A125A"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:august_2022:patch_9:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "E0D31C35-50DC-4CDF-AFD4-311EAF5BBBD0"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:-:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "95BBBA68-269F-4385-9D14-A736F2CD707E"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_1:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "E6E1046C-35F4-451A-BFF1-2FC6EB01B547"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_2:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "D9AB037B-EE88-47CD-B387-42651CBAAFF9"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_3:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "3D28B87A-B36A-428E-A93B-255CFD62036F"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_4:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "9AD961D6-A315-493C-926F-1441E51C1742"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_5:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "1EFEBD77-7968-4649-8E9B-DAB24DC36E64"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_6:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "E6D033E6-C022-4C6B-9EAC-95ABF6CA9BA6"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:february_2023:patch_7:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "761B402F-4E98-46A4-A8E3-87F167CF01D0"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:may_2023:-:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "9E7034FB-5E64-47AD-B4A4-8428474C48C4"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:may_2023:patch_1:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "29158A06-3DE9-487B-9BC5-B4A690864F4F"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:may_2023:patch_2:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "272C2CFE-0D8E-46CE-92B6-2BA8658C951B"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:may_2023:patch3:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "039E4C03-89CA-4E77-8D79-39D22E85A299"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:-:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "72D56C24-9CEF-486B-8E46-6111D7B1676A"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_1:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "338E52B2-AD7D-43F3-B707-E0E5976B269E"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_10:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "D216C67A-F124-49F0-90EA-B0C8B663D760"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_2:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "FA68ADC7-9E20-4BD3-9235-6D76D4519512"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_3:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "B41A9B8C-FAD3-46F1-8973-DF1FA408064B"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_4:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "EE23F5BD-579C-488D-965A-AE916C32976A"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_5:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "E9C90120-93D1-43B0-B541-F07EB8FD44EB"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_6:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "450F236B-4673-403C-9E23-736C0ED92F6E"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_7:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "D5E431DE-26E2-4DA2-AD0B-1479D0C95B98"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_8:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "0D6F6570-970B-4E49-9D92-65FAFCC71360"}, {"criteria": "cpe:2.3:a:qlik:qlik_sense:november_2022:patch_9:*:*:enterprise:windows:*:*", "vulnerable": true, "matchCriteriaId": "38116465-3485-44D3-9097-F2C821D8278F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org", "cisaRequiredAction": "Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.", "cisaVulnerabilityName": "Qlik Sense HTTP Tunneling Vulnerability"}