Executive Summary
A security issue in QlikView has been identified and patches have been made available. In both cases, a user with existing access to the Windows environment running QlikView or the QlikView plugin may be able to escalate their privileges to that of Administrator.
The issue was identified and responsibly reported to Qlik by Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.
Qlik has received no reports of these vulnerabilities being exploited maliciously.
Affected Software
All versions of QlikView prior to and including the following releases are impacted:
- QlikView May 2023 SR1 (12.80.20100)
- QlikView May 2022 SR2 (12.70.20200)
Vulnerability Details
CVE-2024-29863 (QV-25113)
Severity: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (7.8 High)
A race condition exists in the QlikView installer executable that may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.
Resolution
Recommendation
Customers should upgrade QlikView to a version containing fixes for these issues. Fixes are available for the following versions:
- QlikView May 2023 SR2 (12,80.20200)
- QlikView May 2022 SR3 (12.70.20300)
Credits
Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.
