A security vulnerability has been identified in QlikView Server and Qlik Sense Enterprise that may allow an authenticated user to download files stored on the server’s file system.
All QlikView Server versions older than the following
- 11.20 SR19
- 12.00 any version (the product has reached the end of life)
- 12.10 SR11
- 12.20 SR9
- 12.30 SR2
All Qlik Sense Enterprise and Qlik Analytics Platform versions older than the following
- any 2017 version or prior
- February 2018 Patch 4
- April 2018 Patch 3
- June 2018 Patch 3
- September 2018 Patch 4
- November 2018 Patch 4
- February 2019 Patch 2
This vulnerability is rated as high due to the possibility of sensitive files from the hosting server being disclosed to unauthorized users.
The calculated CVSS score: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 8.2 (High)
Due to improper access controls being applied to user input, an authenticated user may be able to manipulate their Browser requests to retrieve files from the hosting server that they should not have access to.
Qlik would like to thank Olga Barinova of Trustwave (www.trustwave.com) for disclosing this issue to us.
For further insight, we have created a list of frequently asked questions and answers which can be found here FAQ.
- It is recommended to upgrade QlikView Server installations to at least 11.20 SR19, 12.10 SR11, 12.20 SR9 or 12.30 SR2
- It is recommended to upgrade Qlik Sense Enterprise / Qlik Analytics Platform versions to at least February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3, September 2018 Patch 4, November 2018 Patch 4, February 2019 Patch 2, or April 2019 IR
All Qlik software can be downloaded from our official Qlik Download page (customer login required)
Upgrading and migrating QlikView Server (Qlik Help)
Upgrading or Licensing QlikView with an expired Maintenance Contract
Upgrading and migrating QlikView Server from 11.20 to November 2017 or later (Qlik Help)
How To Upgrade From QlikView 11.20 To QlikView 12.00, 12.10, November 2017 release (12.20)
Qlik Sense Upgrades:
Upgrading Qlik Sense (Qlik Help)
[Best practice] Qlik Sense upgrade steps from November 2017+ version to February 2019 version