A vulnerability has been identified in QlikView Server that allows a user with network access to the application the ability to download files stored on the server’s file system.
All QlikView Server versions before 11.20 SR18, 12.00 SR6, 12.10 SR10 and November 2017 SR8 (12.20 SR8).
QlikView Server November 2018 (12.30) is unaffected.
This vulnerability is rated as high due to the possibility of sensitive files from the hosting server being disclosed to unauthorized users.
The calculated CVSS score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 7.5 (High)
Due to insufficient sanitization of user input, a user can manipulate their Browser requests to request files from the hosting server that they should not have access to. This type of vulnerability is commonly known as a Directory Traversal
. A remote user could potentially modify their HTTP Requests in such a way that the QlikView Server will allow them to download files from the server that the user would not typically have access to. The scope of the disclosure is any file that the service account the QlikView process has access to. It applies to any user than can access the QlikView server remotely. The only mitigation is to upgrade to one of the fixed versions.
Customers are recommended to upgrade their QlikView Server installs to at least 11.20 SR18, 12.00 SR6, 12.10 SR10, November 2017 SR8 (12.20 SR8). or November 2018 (12.30).
Qlik would like to thank Linfosys B.V. (https://www.linfosys.nl/
) for responsibly disclosing this issue to us.
Qlik has released new service releases as of 29 November 2018 for QlikView 11.20, QlikView 12.00, QlikView 12.10 and QlikView 12.20, please see table below for version information for the release which contains the security fix for Directory Traversal vulnerability . No
change is required for QlikView 12.30 as it is not affected by this issue.
QlikView Releases with fix for QV-15634
|Major Version||Fix Included in||Release Date|
|11.20||11.20 SR18||29 November 2018|
|12.00||12.00 SR6||29 November 2018|
|12.10||12.10 SR10||29 November 2018|
|12.20||12.20 SR8||29 November 2018|
Please visit our download site to download and install these important service releases. Remember to always follow industry best practices when upgrading any software, read the release notes and ensure you backup your system prior to making any changes.
For details of Qlik's Security and Vulnerability policy, please see 000008125