Skip to main content

CVE-2022-0564: CWE-204: Observable Response Discrepancy in Qlik Sense Qlik Sense Enterprise on Windows

Medium
Published: Mon Feb 21 2022 (02/21/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Qlik Sense
Product: Qlik Sense Enterprise on Windows

Description

A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured. The affected URI is /internal_forms_authentication/ the response time of the form is longer if the supplied user does not exists and shorter if the user exists.

AI-Powered Analysis

AILast updated: 06/24/2025, 13:40:40 UTC

Technical Analysis

CVE-2022-0564 is a vulnerability identified in Qlik Sense Enterprise on Windows, specifically affecting version 14.x when LDAP authentication is configured. The vulnerability arises from an observable response discrepancy in the authentication mechanism at the URI endpoint /internal_forms_authentication/. An attacker can exploit this by sending authentication requests with different usernames and measuring the response times. The system responds faster when the username exists and slower when it does not, allowing an attacker to enumerate valid domain user accounts remotely without authentication. This side-channel timing attack leverages the difference in processing time to distinguish between valid and invalid usernames, potentially aiding further targeted attacks such as brute force or social engineering. The vulnerability is categorized under CWE-204 (Observable Response Discrepancy), which involves information leakage through timing differences. No known exploits have been reported in the wild, and no official patches have been linked, indicating that mitigation may require configuration changes or vendor updates. The vulnerability does not require user interaction or prior authentication, increasing its risk profile. However, the impact is limited to user enumeration and does not directly allow privilege escalation or code execution.

Potential Impact

For European organizations using Qlik Sense Enterprise on Windows version 14.x with LDAP authentication enabled, this vulnerability poses a moderate risk. The ability to enumerate valid domain user accounts can facilitate reconnaissance activities by threat actors, enabling more efficient password guessing, phishing, or targeted attacks against identified users. This can lead to compromised credentials, unauthorized access, and potential lateral movement within corporate networks. Organizations in sectors with high-value data or critical infrastructure may face increased risk if attackers leverage this information to escalate attacks. While the vulnerability does not directly compromise system integrity or availability, the information disclosure can be a stepping stone for more severe intrusions. Given the widespread use of Qlik Sense in data analytics and business intelligence across Europe, especially in finance, manufacturing, and public sectors, the threat could have significant operational and reputational consequences if exploited.

Mitigation Recommendations

To mitigate this vulnerability, organizations should first verify if LDAP authentication is enabled on their Qlik Sense Enterprise 14.x deployments. If so, consider temporarily disabling LDAP authentication or restricting access to the /internal_forms_authentication/ endpoint via network segmentation or firewall rules to trusted IP addresses only. Implement rate limiting and monitoring on authentication endpoints to detect and block abnormal request patterns indicative of enumeration attempts. Additionally, applying any vendor-provided patches or updates as they become available is critical. If patches are not yet released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect timing-based enumeration attempts. Logging and alerting on authentication failures and unusual response time patterns can help in early detection. Finally, educating users on phishing risks and enforcing strong multi-factor authentication (MFA) can reduce the impact of credential harvesting facilitated by user enumeration.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
DIVD
Date Reserved
2022-02-10T00:00:00
Cisa Enriched
false

Threat ID: 682d983ec4522896dcbf0253

Added to database: 5/21/2025, 9:09:18 AM

Last enriched: 6/24/2025, 1:40:40 PM

Last updated: 8/16/2025, 7:43:37 AM

Views: 26

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats