How severe is CVE-2023-41265?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.9 out of 10.

What type of vulnerability is CVE-2023-41265?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2023-41265 - CRITICAL Severity | CVSS 9.9

Vulnerability Description

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Related Vulnerabilities

CVE-2023-48365

CRITICAL

CVSS:9.9(Critical)

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevat...

CWE-4442023

CVE-2015-5739

CRITICAL

CVSS:9.8(Critical)

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead...

CWE-4442015

CVE-2015-5740

CRITICAL

CVSS:9.8(Critical)

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Con...

CWE-4442015

CVE-2015-5741

CRITICAL

CVSS:9.8(Critical)

CWE-4442015

CVE-2016-10711

CRITICAL

CVSS:9.8(Critical)

Apsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751.

CWE-4442016

CVE-2017-7657

CRITICAL

CVSS:9.8(Critical)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk le...

CWE-4442017