CVE-2023-48365:

Overview

Remediation

• Upgrade to a fixed version: Apply August 2023 Patch 2 or any of the listed fixed patches (May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, or November 2021 Patch 17) across all Qlik Sense Enterprise for Windows installations.
• Verify and validate: Confirm the patch is installed on all instances by checking version/build numbers; restart affected services as required and verify they come up cleanly.
• Testing: After patching, perform vulnerability scans and targeted testing to ensure the HTTP header validation issue cannot be exploited (simulate the tunneling scenario if feasible in a safe test environment).
• Apply compensating controls: If immediate patching is not possible, implement network-level mitigations such as restricting access to the Qlik Sense backend, enforcing strict HTTP header validation at the edge (e.g., via a web application firewall or reverse proxy), and segmenting the Qlik Sense deployment from untrusted networks.
• Monitor and verify: Stay informed with vendor advisories and CVE feeds (e.g., CISA KEV) and re-scan to confirm remediation; monitor for any related advisories about CVE-2023-41265’s incomplete fixes.
• Operational hygiene: Ensure backups and recovery procedures are in place prior to patching, and coordinate with IT operations to minimize downtime and validate service health post-deployment.

References

• - Qlik Community Official Support Article: Critical Security fixes for Qlik Sense Enterprise for Windows
• https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510
• - MITRE CVE-2023-48365
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48365
• - CISA Known Exploited Vulnerabilities (KEV) feed (CVE-2023-48365)
• https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json