DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration

Our reference DIVD-2021-00021
Case lead Diego Klinkhamer
Author Hidde Smit
Researcher(s)
CVE(s)
Product Qlik Sense Enterprise on Windows
Versions < 14.44.0
Recommendation November 2021 patch fixes this vulnerability.
Status Closed
Last modified 25 Apr 2025 17:30 CEST

Summary

On 18 August 2021, DIVD discovered a timing attack vulnerability. This vulnerability can be abused for domain user enumeration. As of November 2021, this vulnerability has been solved by the vendor. CVE-2022-0564 has been assigned to this vulnerability. Affected systems are only vulnerable if they have LDAP configured.

On 25 Apr 2025 we disclosed the full details of this vulnerability in the CVE record published on this site and in the CVE database.

What you can do

What we are doing

Timeline

Date Description
18 Aug 2021 Vulnerability reported to vendor.
20 Aug 2021 Vulnerability confirmed by vendor.
09 Nov 2021 Vulnerability patched by vendor.
10 Feb 2022 DIVD notified about patch by vendor.
01 Mar 2022 DIVD sent out a first batch of notifications.
01 Apr 2022 Case closed.
25 Apr 2025 Full disclosure
gantt title DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration (226 days) :2021-08-18, 2022-04-01 section Events Vulnerability reported to vendor. : milestone, 2021-08-18, 0d Vulnerability confirmed by vendor. : milestone, 2021-08-20, 0d Vulnerability patched by vendor. : milestone, 2021-11-09, 0d DIVD notified about patch by vendor. : milestone, 2022-02-10, 0d DIVD sent out a first batch of notifications. : milestone, 2022-03-01, 0d Case closed. : milestone, 2022-04-01, 0d Full disclosure : milestone, 2025-04-25, 0d

More information