Skip to the content.

DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration

Our reference DIVD-2021-00021
Case lead Diego Klinkhamer
Author Hidde Smit
Researcher(s)
CVE(s)
Product Qlik Sense Enterprise on Windows
Versions < 14.44.0
Recommendation November 2021 patch fixes this vulnerability.
Status Open
Last modified 12 Aug 2022 09:21

Summary

On 18 August 2021, DIVD discovered a timing attack vulnerability. This vulnerability can be abused for domain user enumeration. As of November 2021, this vulnerability has been solved by the vendor. CVE-2022-0564 has been assigned to this vulnerability. Affected systems are only vulnerable if they have LDAP configured.

What you can do

What we are doing

Timeline

Date Description
18 Aug 2021 Vulnerability reported to vendor.
20 Aug 2021 Vulnerability confirmed by vendor.
09 Nov 2021 Vulnerability patched by vendor.
10 Feb 2022 DIVD notified about patch by vendor.
01 Mar 2022 DIVD sent out a first batch of notifications.
gantt title DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration (still open) :2021-08-18, 2022-10-04 section Events Vulnerability reported to vendor. : milestone, 2021-08-18, 0d Vulnerability confirmed by vendor. : milestone, 2021-08-20, 0d Vulnerability patched by vendor. : milestone, 2021-11-09, 0d DIVD notified about patch by vendor. : milestone, 2022-02-10, 0d DIVD sent out a first batch of notifications. : milestone, 2022-03-01, 0d

More information