CVE-2023-48365 Overview
CVE-2023-48365 is a critical HTTP request smuggling vulnerability affecting Qlik Sense Enterprise for Windows that allows unauthenticated remote code execution. This vulnerability exists due to improper validation of HTTP headers, enabling a remote attacker to elevate their privileges by tunneling HTTP requests to the backend repository application server. Notably, this vulnerability represents an incomplete fix for CVE-2023-41265, indicating that the original remediation failed to fully address the underlying security issue.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Attackers can leverage this flaw to gain complete control over affected Qlik Sense Enterprise deployments without authentication, potentially compromising sensitive business intelligence data and enabling lateral movement within enterprise networks.
Affected Products
- Qlik Sense Enterprise for Windows August 2023 (before Patch 2)
- Qlik Sense Enterprise for Windows May 2023 (before Patch 6)
- Qlik Sense Enterprise for Windows February 2023 (before Patch 10)
- Qlik Sense Enterprise for Windows November 2022 (before Patch 12)
- Qlik Sense Enterprise for Windows August 2022 (before Patch 14)
- Qlik Sense Enterprise for Windows May 2022 (before Patch 16)
- Qlik Sense Enterprise for Windows February 2022 (before Patch 15)
- Qlik Sense Enterprise for Windows November 2021 (before Patch 17)
Discovery Timeline
- 2023-11-15 - CVE-2023-48365 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2023-48365
Vulnerability Analysis
This vulnerability falls under CWE-444 (Inconsistent Interpretation of HTTP Requests, commonly known as HTTP Request Smuggling). The flaw stems from improper validation of HTTP headers in the Qlik Sense Enterprise proxy service. When processing incoming HTTP requests, the application fails to properly sanitize and validate header content, creating a discrepancy between how the front-end proxy and back-end repository application interpret the same HTTP request.
The exploitation chain allows an attacker to craft malicious HTTP requests that bypass the authentication and authorization mechanisms enforced at the proxy layer. By manipulating HTTP headers, attackers can tunnel requests directly to the backend repository service, effectively executing operations with elevated privileges. The scope change in this vulnerability means successful exploitation can impact resources beyond the vulnerable component itself, potentially affecting the entire Qlik Sense infrastructure and connected data sources.
Root Cause
The root cause lies in the incomplete remediation of CVE-2023-41265. The original vulnerability was patched, but the fix did not comprehensively address all attack vectors related to HTTP header manipulation. Specifically, the HTTP header parsing logic contains inconsistencies that allow specially crafted headers to pass through the proxy validation while being interpreted differently by the backend server. This type of vulnerability typically arises when multiple components in a request processing pipeline have different interpretations of HTTP protocol specifications, particularly around headers like Content-Length and Transfer-Encoding.
Attack Vector
The attack is network-based and requires no authentication or user interaction, making it highly exploitable. An attacker with network access to the Qlik Sense Enterprise server can send specially crafted HTTP requests to the application's proxy service. These requests contain manipulated HTTP headers designed to exploit the parsing inconsistency between the proxy and backend components.
The attack flow typically involves:
- The attacker sends a crafted HTTP request to the Qlik Sense proxy with ambiguous or conflicting header values
- The proxy interprets the request one way and forwards it to the backend
- The backend interprets the smuggled portion as a separate, privileged request
- The attacker's smuggled request executes on the backend with elevated privileges, bypassing authentication controls
This enables the attacker to execute arbitrary HTTP requests against the repository application, which can be chained to achieve remote code execution on the underlying Windows server.
Detection Methods for CVE-2023-48365
Indicators of Compromise
- Unusual or malformed HTTP requests in Qlik Sense proxy logs containing multiple Content-Length or Transfer-Encoding headers
- Unexpected backend repository API calls that do not correlate with authenticated user sessions
- Anomalous process execution on Qlik Sense servers, particularly child processes spawned by the Qlik services
- Network connections from Qlik Sense servers to unexpected internal or external destinations
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block HTTP request smuggling patterns, including conflicting Content-Length and Transfer-Encoding headers
- Monitor Qlik Sense proxy and repository service logs for authentication bypass indicators and unauthorized API access
- Deploy endpoint detection and response (EDR) solutions to identify suspicious process behavior on Qlik Sense servers
- Utilize network traffic analysis to identify HTTP requests with smuggling characteristics targeting Qlik Sense infrastructure
Monitoring Recommendations
- Enable verbose logging on Qlik Sense proxy and repository services to capture detailed HTTP request information
- Configure SIEM rules to alert on HTTP request anomalies targeting Qlik Sense endpoints
- Establish baseline network behavior for Qlik Sense servers and alert on deviations
- Monitor for exploitation attempts using threat intelligence feeds that include CVE-2023-48365 signatures
How to Mitigate CVE-2023-48365
Immediate Actions Required
- Immediately apply the appropriate security patch for your Qlik Sense Enterprise version: August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, or November 2021 Patch 17
- If patching is not immediately possible, restrict network access to Qlik Sense servers to trusted IP ranges only
- Review Qlik Sense server logs for signs of prior exploitation and conduct incident response if indicators are found
- Ensure all Qlik Sense infrastructure is isolated from untrusted networks until patches are applied
Patch Information
Qlik has released security patches addressing this vulnerability across all supported release branches. Organizations should refer to the Qlik Official Support Article for detailed patch download links and installation instructions. The fixed versions are:
- August 2023 Patch 2
- May 2023 Patch 6
- February 2023 Patch 10
- November 2022 Patch 12
- August 2022 Patch 14
- May 2022 Patch 16
- February 2022 Patch 15
- November 2021 Patch 17
Given this vulnerability's presence in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and organizations following CISA guidance should prioritize remediation according to mandated deadlines.
Workarounds
- Implement network segmentation to restrict access to Qlik Sense servers from untrusted networks
- Deploy a properly configured reverse proxy or WAF in front of Qlik Sense that strictly validates HTTP headers and rejects ambiguous requests
- Disable external network access to Qlik Sense services if remote access is not required for business operations
- Consider temporarily taking affected Qlik Sense instances offline if they cannot be patched promptly and are exposed to untrusted networks
# Example: Windows Firewall rule to restrict Qlik Sense access to trusted networks
netsh advfirewall firewall add rule name="Restrict Qlik Sense Access" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/8,192.168.0.0/16
netsh advfirewall firewall add rule name="Block External Qlik Sense" dir=in action=block protocol=tcp localport=443
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
