DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration
Our reference | DIVD-2021-00021 |
Case lead | Diego Klinkhamer |
Author | Hidde Smit |
Researcher(s) | |
CVE(s) | |
Product | Qlik Sense Enterprise on Windows |
Versions | < 14.44.0 |
Recommendation | November 2021 patch fixes this vulnerability. |
Status | Closed |
Last modified | 25 Apr 2025 17:30 CEST |
Summary
On 18 August 2021, DIVD discovered a timing attack vulnerability. This vulnerability can be abused for domain user enumeration. As of November 2021, this vulnerability has been solved by the vendor. CVE-2022-0564 has been assigned to this vulnerability. Affected systems are only vulnerable if they have LDAP configured.
On 25 Apr 2025 we disclosed the full details of this vulnerability in the CVE record published on this site and in the CVE database.
What you can do
- Update Qlik Sense Enterprise to the latest version available.
- Disable internet-facing NTLM endpoints, e.g.
internal_windows_authentication
, to avoid domain enumeration.
What we are doing
- We are scanning the internet for vulnerable Qlik Sense Enterprise servers, and will notify system owners via the listed abuse contacts.
Timeline
Date | Description |
---|---|
18 Aug 2021 | Vulnerability reported to vendor. |
20 Aug 2021 | Vulnerability confirmed by vendor. |
09 Nov 2021 | Vulnerability patched by vendor. |
10 Feb 2022 | DIVD notified about patch by vendor. |
01 Mar 2022 | DIVD sent out a first batch of notifications. |
01 Apr 2022 | Case closed. |
25 Apr 2025 | Full disclosure |
gantt
title DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration (226 days) :2021-08-18, 2022-04-01
section Events
Vulnerability reported to vendor. : milestone, 2021-08-18, 0d
Vulnerability confirmed by vendor. : milestone, 2021-08-20, 0d
Vulnerability patched by vendor. : milestone, 2021-11-09, 0d
DIVD notified about patch by vendor. : milestone, 2022-02-10, 0d
DIVD sent out a first batch of notifications. : milestone, 2022-03-01, 0d
Case closed. : milestone, 2022-04-01, 0d
Full disclosure : milestone, 2025-04-25, 0d