CVE-2024-36077 - Vulnerability Details

Link	Providers
https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36077", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T03:30:13.077Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-22T16:46:32.097995"}, "descriptions": [{"lang": "en", "value": "Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024 Patch 3 (14.173.3 through 14.173.7), November 2023 Patch 8 (14.159.4 through 14.159.13), August 2023 Patch 13 (14.139.3 through 14.139.20), May 2023 Patch 15 (14.129.3 through 14.129.22), February 2023 Patch 13 (14.113.1 through 14.113.18), November 2022 Patch 13 (14.97.2 through 14.97.18), August 2022 Patch 16 (14.78.3 through 14.78.23), and May 2022 Patch 17 (14.67.7 through 14.67.31). This has been fixed in May 2024 (14.187.4), February 2024 Patch 4 (14.173.8), November 2023 Patch 9 (14.159.14), August 2023 Patch 14 (14.139.21), May 2023 Patch 16 (14.129.23), February 2023 Patch 14 (14.113.19), November 2022 Patch 14 (14.97.19), August 2022 Patch 17 (14.78.25), and May 2022 Patch 18 (14.67.34)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36077", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-22T17:47:43.952991Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qlik:qlik_sense:february_2024:patch_3:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "february_2024"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:november_2023:patch_8:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "november_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:august_2023:patch_13:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "august_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:may_2023:patch_15:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "may_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:february_2023:patch_13:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "february_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:november_2022:patch_16:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "november_2022"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:may_2022:patch_17:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "may_2022"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:48:10.488Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:13.077Z"}, "title": "CVE Program Container", "references": [{"url": "https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:13.077Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36077", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-22T17:47:43.952991Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qlik:qlik_sense:february_2024:patch_3:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "february_2024"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:november_2023:patch_8:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "november_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:august_2023:patch_13:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "august_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:may_2023:patch_15:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "may_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:february_2023:patch_13:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "february_2023"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:november_2022:patch_16:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "november_2022"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:a:qlik:qlik_sense:may_2022:patch_17:*:*:enterprise:windows:*:*"], "vendor": "qlik", "product": "qlik_sense", "versions": [{"status": "affected", "version": "may_2022"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-22T18:46:16.160Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509"}], "descriptions": [{"lang": "en", "value": "Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024 Patch 3 (14.173.3 through 14.173.7), November 2023 Patch 8 (14.159.4 through 14.159.13), August 2023 Patch 13 (14.139.3 through 14.139.20), May 2023 Patch 15 (14.129.3 through 14.129.22), February 2023 Patch 13 (14.113.1 through 14.113.18), November 2022 Patch 13 (14.97.2 through 14.97.18), August 2022 Patch 16 (14.78.3 through 14.78.23), and May 2022 Patch 17 (14.67.7 through 14.67.31). This has been fixed in May 2024 (14.187.4), February 2024 Patch 4 (14.173.8), November 2023 Patch 9 (14.159.14), August 2023 Patch 14 (14.139.21), May 2023 Patch 16 (14.129.23), February 2023 Patch 14 (14.113.19), November 2022 Patch 14 (14.97.19), August 2022 Patch 17 (14.78.25), and May 2022 Patch 18 (14.67.34)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-22T16:46:32.097995"}}}, "cveMetadata": {"cveId": "CVE-2024-36077", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:30:13.077Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024 Patch 3 (14.173.3 through 14.173.7), November 2023 Patch 8 (14.159.4 through 14.159.13), August 2023 Patch 13 (14.139.3 through 14.139.20), May 2023 Patch 15 (14.129.3 through 14.129.22), February 2023 Patch 13 (14.113.1 through 14.113.18), November 2022 Patch 13 (14.97.2 through 14.97.18), August 2022 Patch 16 (14.78.3 through 14.78.23), and May 2022 Patch 17 (14.67.7 through 14.67.31). This has been fixed in May 2024 (14.187.4), February 2024 Patch 4 (14.173.8), November 2023 Patch 9 (14.159.14), August 2023 Patch 14 (14.139.21), May 2023 Patch 16 (14.129.23), February 2023 Patch 14 (14.113.19), November 2022 Patch 14 (14.97.19), August 2022 Patch 17 (14.78.25), and May 2022 Patch 18 (14.67.34)."}, {"lang": "es", "value": "Qlik Sense Enterprise para Windows anterior a 14.187.4 permite a un atacante remoto elevar sus privilegios debido a una validaci\u00f3n inadecuada. El atacante puede elevar su privilegio a la funci\u00f3n interna del sistema, lo que le permite ejecutar comandos en el servidor. Esto afecta al parche 3 de febrero de 2024 (14.173.3 a 14.173.7), al parche 8 de noviembre de 2023 (14.159.4 a 14.159.13), al parche 13 de agosto de 2023 (14.139.3 a 14.139.20), al parche 15 de mayo de 2023 (14.129 .3 a 14.129.22), parche 13 de febrero de 2023 (14.113.1 a 14.113.18), parche 13 de noviembre de 2022 (14.97.2 a 14.97.18), parche 16 de agosto de 2022 (14.78.3 a 14.78.23), y el parche 17 de mayo de 2022 (del 14.67.7 al 14.67.31). Esto se solucion\u00f3 en mayo de 2024 (14.187.4), parche 4 de febrero de 2024 (14.173.8), parche 9 de noviembre de 2023 (14.159.14), parche 14 de agosto de 2023 (14.139.21), parche 16 de mayo de 2023 (14.129. 23), parche 14 de febrero de 2023 (14.113.19), parche 14 de noviembre de 2022 (14.97.19), parche 17 de agosto de 2022 (14.78.25) y parche 18 de mayo de 2022 (14.67.34)."}], "id": "CVE-2024-36077", "lastModified": "2024-11-21T09:21:35.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-05-22T17:16:15.377", "references": [{"source": "[email protected]", "url": "https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object