Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0564: Qlik Sense Enterprise on Windows Release notes - November 2021 Initial Release to Patch 16

A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.

CVE
#sql#vulnerability#web#ios#mac#windows#google#microsoft#amazon#apache#redis#nodejs#js#oracle#kubernetes#c++#perl#ldap#pdf#oauth#auth#mongo#postgres#chrome#ssl

Table of Contents

  • What’s new in Qlik Sense November 2021
  • Resolved Defects
  • Known issues and limitations
  • System requirements notes
  • Downloads

The following release notes cover the versions of Qlik Sense released in November 2021.

What’s new in Qlik Sense November 2021

Please refer to the What’s new sections of the online help for information about the new and updated features of the Qlik Sense Enterprise on Windows November 2021 release:

What’s new in Qlik Sense November 2021 (Users)

What’s new in Qlik Sense November 2021 (Developers)

What’s new in Qlik Sense November (Administrators)

November 2021

Partial reloads for scheduled reloads

You can now use the partial reload option for scheduled reloads in the QMC. Partial reloads have several benefits compared to full reloads:

  • Faster, because only data recently changed needs to be loaded. With large data sets the difference is significant.
  • Less memory is consumed, because less data is loaded.
  • More reliable, because queries to source data run faster, reducing the risk of having network problems.

Editing tasks

November 2021 Patch 15

Google BigQuery connector: Update in the OAuth flow for the User Authentication mechanism, due to the deprecation of OAuth out-of-band (oob) flow by Google. This change requires reauthentication of existing connection definitions.

November 2021 Patch 16

Patch policy for Qlik Sense Desktop has been updated. Please see “Latest release and patch” in download app for the latest Qlik Sense Desktop. All corrective content will be available in the latest patch of Qlik Sense Desktop.

Resolved Defects

November 2021 Patch 16

Key

Title

Description

QB-16853

Qlik Sense: Updated Node.js

Updated Node.js to address a third-party issue (CVE-2022-43548). For more information, visit https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/.

QB-14890

Qlik Sense Visualizations: Overwrite option for ODAG app not working

Fixed a problem where the “Overwrite generated apps” for ODAG did not work and triggered the warning message "Maximum number of generated apps reached". The overwrite option now works as expected and a newly generated app overwrites the existing ODAG app without a warning message.

QB-14348

Qlik Sense Engine: Mashup application hangs

Fixed a problem where a mashup application would hang when applying selections.

QB-14264

Qlik Sense Mobile: Lost connection on iOS

Fixed a problem where the connection was lost after minimizing the browser window and switching to other applications.

November 2021 Patch 15

Key

Title

Description

QB-14297

Qlik Sense Engine: Dutch parser (NL) is not starting when enabling NLU_MUILTI_LINGUAL

Fixed a problem that prevented the NL-parser from starting when enabling multi-language natural language queries in Qlik Sense Enterprise on Windows.

QB-11759

Qlik Cloud Enterprise Connectors: BulkReader cannot process large strings

Fixed a problem where BulkReader mode had an incorrect max string limit of 4096 characters.

QB-10967

Qlik Sense Engine: “Invalid visualization” error message shown on some apps

Fixed a problem where incomplete layout data was being passed from the Qlik Engine, resulting in the error message “Invalid visualization - The visualization was not found on the server” being shown. This occurred even for built-in visualizations.

QB-10789

Data connections: Could not load NCLOB or CLOB data types when connecting to Oracle DB

Fixed an issue where scripts failed to load field type NCLOB or CLOB when connecting to Oracle DB.

QB-10763

Qlik Oracle connector: Error in XML element function

Fixed a bug where using the XmlElement function in queries of the ODBC Connector Package Oracle datasource caused an error (ORA-00907: missing right parenthesis).

QB-9827

Qlik MySQL connector data type conversion issue

Fixed the reading of bit(1) data type for MySQL. It is now converted the same way as for bit columns with size larger than 1.

QB-9589

Can’t use dashes (-) in the database or table name using the MySQL connector wizard

The issue has been fixed and dashes can now be used in database names and table names.

QB-9515

Qlik Sense Enterprise Connectors: Wrong results via reload with MySQL connector

Fixed a problem in the loading of text values when date filed is NULL in Bulk Reader mode for MySQL connector.

QB-8851

Can’t use dashes (-) in the database name using the MySQL connector wizard

The issue has been fixed and dashes can now be used in database names and table names.

QB-7033

Qlik Sense Enterprise Connectors: MongoDB query filter ‘WHERE’ clause not working as expected

Fixed a problem in which the ‘WHERE’ clause query filter was failing to load data from MongoDB. The issue was fixed with the latest mongo driver update - 2.3.19.1021.

November 2021 Patch 14

Key

Title

Description

QB-11350

Visualizations: Cannot change order of dimensions/measures by drag-and-drop when using table extensions

Fixed a problem that prevented the ordering of dimensions/measures in extensions using an older API (“uses: dimension” and “uses: measures”).

QB-9456

Security issue with jQuery UI 1.12.1

Upgraded jQuery UI from 1.12.1 to 1.13.1 to avoid a security issue.

QB-9454

Qlik Sense: Issue with information disclosure of internal FQDN and ports

Before, in case a URL was not found, a 404 HTTP error was returned along with the details of the internal URL to be used. This issue has now been fixed by removing the internal URL details from the returned payload and providing a generic “Content not found.” message.

November 2021 Patch 13

November 2021 Patch 12

Key

Title

Description

QB-10797

Qlik Sense Visualizations: Apply changes banner appears unexpectedly when working with containers

Fixed a bug that caused the Apply changes banner to appear unexpectedly even when no changes had been made to the visualizations.

QB-10692

Qlik Engine: Risk of corrupting the state of thread locks due to stalling engine

Resolved an issue where the engine was stalling when checking for changes to Settings.ini.

QB-10280

Qlik Engine: Not all published apps open after encryption certificate is changed

Fixed a bug that prevented some published apps from opening after a new encryption certificate was used. When the encryption certificate is now changed, all objects in the app are re-encrypted upon the first save or reload, removing any reference to the old certificate.

QB-10051

Qlik Sense Hub: Improper error handling for “api/hub/v1/apps/stream/” request

Fixed a problem that resulted in unnecessarily verbose error messages.

QB-9713

Qlik Sense: Pivot table sometimes displays incorrect background color

Fixed an issue where the pivot table would sometimes display incorrect background color when scrolling up or down.

November 2021 Patch 11

Key

Title

Description

QB-9797

Task status is not updated for apps

Fixed an issue where the task status in ‘App: associated items’ was not updated.

QB-9795

Information disclosure of internal FQDN and ports

In cases where a URL was not found, a 404 HTTP error was returned along with the details of the internal URL to be used. This issue has been fixed by removing the internal URL details from the returned payload and providing a generic “Content not found.” message.

QB-8050

Scheduler: Operations Monitor app does not show new reloads

Fixed a bug that altered the structure of the scheduler service logs, making them incompatible with the data load model of the Operations Monitor app. To inspect reload activity from the affected period, use the Reloads Monitor app.

November 2021 Patch 10

Key

Title

Description

QB-10460

“/qrs/license/requestaccesstype” takes long time to complete with large number of SAML groups

Fixed the issue by improving the parsing mechanism of values included in the “X-Qlik-ExtendedUser” header.

QB-9967

Information disclosure in response to “/qrs/systemrule/security/audit/export” API

The response to “/qrs/systemrule/security/audit/export” no longer discloses sensitive information. The file location now points to "%Temp Location%".

QB-9789

Qlik Sense: Large number of user groups coming from SAML\OIDC authentication caused slow performance in the hub and QMC

Some requests to the Qlik Sense Repository service would unnecessarily include persisting user attributes twice. This would impact performance across the Qlik Sense product. The issue has been fixed and the X-Qlik-ExtendedUserInfo header is now only included in an initial request, when the repository service compares the existing attributes with the ones coming from the Identify Provider.

November 2021 Patch 9

Key

Title

Description

QB-10174

Issue with notification setup when several websockets have opened the same app

When several websockets open the same app event, registration of notifications like publish and unpublish is set up and torn down appropriately.

QB-10171

Reload script is executed successfully but app save fails

Added a retry mechanism where a locked transaction file would cause Engine to fail when saving the app.

Affected areas:
- Autosave
- API: DoSave
- API: DoSaveEx

Note that when the saving sometimes takes a bit longer to complete, this could be the retry mechanism waiting for the file to get unlocked for writing (10 ms for each retry).

IM-131

Add retry of CopyFileCollection when performing DoSave

Improvement for environmental issue when DoSave might fail.

The failure could be seen in the Engine System log as '*Could not copy collection* <fileshare path to app> (genericException)'
AppSerializer: SaveApp_internal caught extended exception 9010: Unknown error.

Added a retry mechanism that can be controlled through the settings.ini file:
CopyCollectionRetry=5

The default value is currently set to five retries. This setting can be turned off by setting it to 0.

November 2021 Patch 8

Key

Title

Description

QB-7782

Host header not validated when Qlik Sense hostname is added in ‘Host allow list’ in virtual proxy settings

Improved the HTTP Host header validation method for permitted domains as per ‘Host allow list’ performed by Qlik Virtual Proxy.

ENBT-440

Issue with deadlock on autosave loop

Due to synchronization primitive usage the autoloop could hang several threads, and at a later point potentially cause a restart of the engine. This issue has been resolved.

November 2021 Patch 7

Key

Title

Description

QB-9485

Incorrect layout of Multi KPI objects in Qlik Sense

Fixed the layout of the objects in the KPI.

QB-8552

Dragging files in Qlik Sense Desktop failed

Dragging files into Qlik Sense Desktop resulted in an infinite spinner instead of allowing the selection of data. This issue is fixed.

QB-9570

Qlik Sense: Improve error messages for script save failures

The following improvements have been done:
- The timestamp for saved changes is more visible.
- A dialog makes it clear if the script saving failed.

November 2021 Patch 6

Key

Title

Description

QB-8218

Smart search doesn’t work when used in session apps

Resolved an issue where smart search did not work in session apps or in a mashup.

QB-7903

ODAG indication green light not consistent

In case of having multiple ODAG links in an app there could be times when the constraints check (green light indicator) would use an expression from a different ODAG link. It will now use the correct expression.

November 2021 Patch 5

Key

Title

Description

QB-9228

App is not showing in Insight Advisor chat

For apps with large data models, scraping calls might take a long time to complete. Fixed the issue by making the scraping timeout of the nl-app-search HTTP request configurable. The default value for the timeout (two minutes) can now be increased by setting the scraping-request-timeout parameter in the service configuration.

QB-8992

Use safe ciphers by default

Fixed an issue with unsafe ciphers. The unsafe ciphers have been removed and a list list of supported predefined ciphers is used. If you want to use the unsafe ciphers, you need to provide a list of them as mentioned in this knowledge article: https://help.qlik.com/en-US/nprinting/May2021/Content/NPrinting/DeployingQVNprinting/TLS-cipher-suit…, under the `–cipher-suites` param

QB-8873

Forms Authentication with FQDN creates new user

When a user authenticated to Qlik Sense with Forms Authentication and FQDN as user directory, it was recognized as a different user, compared to when using a simple domain name. This has been fixed by using user impersonation, which prevents the creation of a new user.

QB-8541

Multi KPI chart style is changed unintentionally

Multi KPI chart is now reverted to the original style.

QB-7225

Insight Advisor Chat was not working with database security

Insight Advisor Chat was not working with SSL/TLS Postgres Connection configuration.

November 2021 Patch 4

Key

Title

Description

QB-8695

Teradata SSO username format is now configurable

Now users can make the Teradata SSO username format configurable by editing the SSOUsernameFormat property in QvOdbcConnectorPackage.exe.config file.
For UPN format, edit the property to:
<add key="SSOUsernameFormat" value="upn" />
For samaccountname, format property should look like this:
<add key="SSOUsernameFormat" value="samaccount" />

QB-8387

Sessions shared between browsers do not sync selections when using SAML authentication

SAML authentication flow was corrected to make sure that “samluser” object matches the referential "BaseUser".

November 2021 Patch 3

Key

Title

Description

QB-8198

Amazon Athena connector improvement

When using the Amazon Athena connector, the Data preview dialog now uses row limits with generated queries. This improves load times.

QB-7722

Unreliable auto-save behavior after reload

Qlik Sense will automatically save edits on session close and at a regular interval.
Auto-save could be unreliable when a user session against an app had changed between open modes “with data” versus "without data".
This happened if an end user would open an app without data and then reload the app from the Data load editor, but it could also happen as a result of scheduled reloads with impersonation. The problem could affect all users of the app, but in a multi-node system, problems would only occur on the node where the reload took place.

ENBT-374

Multiple concurrent sessions could result in system and engine instability

With multiple sessions running, the internal registry of derived fields (dimensions) could lock up under concurrent load.
This deadlock occurred on a very low level, and would affect many other mechanisms in the engine, even those without
immediate connection to the derived fields registry. The deadlock occurred unpredictably, but once locked-up the engine would
not recover without a restart. The change to the derived fields registry that introduced the deadlock condition has now been fixed,
and it can no longer occur.

November 2021 Patch 2

Key

Title

Description

QB-7988

SSPI added for when WebFileUseWinAPI is turned off

SSPI is added in WebFileUseWinAPI=0 mode, making it possible to use current Windows credentials with web file connectors in that mode.

QB-7987

Fix of #myapps and #mytasks custom filters

Default #My apps or #My tasks filters would not work as QMC did not rely on fetching “user.id” from the repository service. Fix ensures that it always fetches "user.id".

QB-7070

Return the full allocated license access numbers no matter which user is calling accesstypeoverview

This enables QMC to properly disable the Allocate button when there are no more seats available, even if the user in question does not have read on all the allocated users.

Only the allocation numbers are revealed. Not the user info

QDCB-1094

qdc-catalog-service connect to correct proxy port when proxy port is set

qdc-catalog-service will connect to correct proxy port when proxy port set to a different instead of the default port 443.

November 2021 Patch 1

Key

Title

Description

QB-6400

Selections are not displayed in the selection bar

Under a certain racing condition the selection state layout did not represent the latest selection properties. The correct selection was however always applied.

November 2021

Key

Title

Description

QB-2997

Non latin characters not recognised in Data Manager field editor

Data Manager calculated field editor throws “Unrecognised symbol” error on not latin characters

QB-3317

Engine API: Engine do not allow to set an empty script

Before this fix:
Engine allowed users to set empty script through API. When users tried to get the script Engine would generate a default script. This would confuse the user to think that Engine is not allowing to set empty script.
After changes:
Engine will throw an error when user is setting empty script through APIs

QB-4212

HSTS Missing From HTTPS Server

Qlik Sense TCP/www ports that don’t occur in Physical proxies of Virtual proxy are now restricted during TLS/SSL handshake to not produce HTTP responses.
Qlik Sense Virtual proxy can be configured for 443 TCP/www port to support optional HTTP HSTS security header. Please see support article https://community.qlik.com/t5/Knowledge-Base/HTTP-Strict-

Transport-Security-HSTS-in-Qlik-Sense/ta-p/1711505.

QB-5202

Fix P&L pivot chart export as xls option in QCS

Enable export as xls option of P&L pivot chart in QCS

QB-5299

Qlik Sense May 2021 fails to install\upgrade due to missing Microsoft Visual C++ 2015-2019 Redistributable (x64)

When installing or upgrading Qlik Sense to May 2021 release on operating systems missing Microsoft Visual C++ 2015-2019 Redistributable (x64), installer would fail during the PostgreSQL version 12.5 install. This is now fixed.

QB-5344

Add error handling on swapping objects in a container

While navigating between the tabs of a variable extension error message
“An error occurred. Invalid parameters” is displayed. Added error handling

on swapping objects in a container

QB-5418

Inconsistency in display of ‘Null Values’ in a scatterplot

Inconsistency in display of ‘Null Values’ in a scatterplot fixed.

QB-5419

Fix for Insight Advisor property change issue for alpha-numeric filter value which ending with number.

On Insight Property change in Insight Advisor, filter value with alpha-numeric value ending with number was being converted to its numeric equivalent and hence producing incorrect selection.

QB-5432

Alternative measure

Allow alternative measure when interaction is enabled but selection is disabled.

QB-5436

Improved handling of empty attribute dimensions in Sense pivot tables

Empty attribute dimensions of Qlik Sense pivot table definitions incurred a considerable performance penalty when evaluating the table, particularly in highly expanded states. The cost is necessary and natural with a present (non-empty) attribute dimension, but an empty dimension doesn’t require any calculations.
Their presence is now detected beforehand and they are handled through a dedicated shortcut without noticeable penalty.
The empty dimensions (dimension definitions) can occur for many reasons, e.g. due to templated object definitions, but they have been mistakenly added by certain versions of the Sense client.

QB-5442

Fix for insight advisor performance on complex queries/app with large dataset

Optimize the NLP search algorithm to improve the insight advisor performance for complex queries and applications with a large dataset.

QB-5466

Fixed issue: Qlik Athena connector error “Connection string exceeds maximum allowed length of 1024.” when using session token

Fixed issue: Qlik Athena connector error “Connection string exceeds maximum allowed length of 1024.” when using session token

QB-5514

Variable changes and additions are not kept during import and replace of app

User variables and additions was not replaced when an app is imported and replaced.

QB-5526

Insight Advisor / Insight Advisor Chat not recognizing filter/dimension values having multiple words with first word being a number

Fix for identifying and correctly applying filter value having multiple words starting with first word numeric for Insight Advisor / Insight Advisor Chat. Examples of such dimension values: 60 days, 10 years, 8 miles

QB-5544

Increase nl-app-search http request timeout

For apps with larger data models, dataprep classification calls can take a long time to complete. Increased the timeout of nl-app-search http requests to 2 minutes to avoid errors when longer calls succeed.

QB-5558

Fix app are not showing correctly on iPhone

Fix objects height are not showing correctly on iPhone

QB-5651

Concurrent OpenDoc slow with many user variables

Loading user variables when opening a document scaled poorly with number of variables and the number of concurrent OpenDoc requests. The variable loading caused internal state changes in the opening document that are relatively costly. The change was done per individual variable, despite all variables being loaded as one. This caused poor scaling which impacted the time the persistence locks were held, blocking other loads. The variables are now loaded in the appropriate bulk mode, with a single state update on completion.

QB-5663

Fix persistent storage path in precedents-service

Use custom storage path if one was provided by the user in the installer.

QB-5673

The list of available connections from the ODBC connector package is missing

Fix broken build not generating all web content

QB-5681

Axis selections on a container object do not stick

When making axis selections on a container object with false show conditions, the selections do not stick since the layout of the object is reloaded.

QB-5698

Fix single selection behaviour in stacked bars case

The single selection was not working as expected in a Bar chart with stacked bars. This should now work as expected.

QB-5705

Disabling animation for custom formatting

Since the animation adds little value and this is a corner case, we simply disable the animation for this case.

QB-5706

Unexpected number formatting of KPIs in Qlik Sense

Changed the rounding method for these types of decimals to make sure that 0.xx5 is always rounded up.

QB-5771

Color legend

Fix item size in color legend

QB-5775

Partition filter handling for queries that read data from Google BigQuery partitioned tables

Fixed partition filter handling for queries that read data from Google

BigQuery partitioned tables. The application executes these queries without any failures now.

QB-5848

Alternate state on viewing data

Update the alternate state on viewing data of an object.

QB-5860

“Operation was cancelled” error when using Qlik data analytics connection (SSE)

Do not raise GRPC status code CANCELLED as a separate error condition if the ongoing request is already cancelled.

QB-5946

Pivot Table: expanding Column causes “Internal JSON Protocol error” or “internal engine error”

Fix was done to prevent the Auto chart object getting into a corrupt state.

QB-5953

Connector data preview for date fields

Preview of ‘date’ type columns was improved. Instead of displaying this data as a timestamp the application uses short date format.

QB-6047

Webfile in WinApi mode stream-lined for https access

Https certificates are accepted similarly to non-WinAPI mode, additionally with settings ini WebFileAllowInsecureCert added to cover rare cases.

QB-6048

Set analysis with money format

Set analysis on money formatted numbers should not require the comparison string to be money formatted.

QB-6097

Filterbox search and money format

Searching in filterbox containing money formatted numbers should not require the search string to be money formatted.

QB-6112

Fixed missing task-chain icon bug

After editing task and adding/removing a task event trigger the changes will now be reflected in the task-overview table.

QB-6290

Update logged ProxySessionID if the proxy attaches with a new ID

The engine session always logged with the initial ProxySessionID, provided by the proxy when the session was created. This ID could become irrelevant or confusing if successive proxy sessions attached to and detached from long-lived engine sessions, e.g. through TTL. The engine now updates the associated ProxySessionID if a new one is provided upon session attach. The update is recorded in the engine log.

QB-6297

DatePicker object stopped working after upgrade to April 2020 and later

The sort order indicator has been changed in engine props which led the sortOrder to be incorrectly defined and thus the selection is not done.

QB-6320

Not possible to restore an application with Qlik Sense May 2021

If an app is missing version number when it is opened, we add the latest engine version number to it.

QB-6329

Bar chart color

Fix coloring when the mini chart scroll position starts at the end.

QB-6331

Mutual TLS for MySQL ODBC connector

Connection dialog of MySQL ODBC Connector now has new properties allowing client to upload and use client’s certificate and a private key in order to establish mutual TLS connection.

QB-6333

Flex box issue in Safari

A workaround to avoid a third party issue.

QB-6368

Portuguese mistranslation when data is loaded

Fixed the incorrect translation in Portuguese that said there were errors when the data load was successful.

QB-6399

Fix - Insight Advisor Chat is not working when having a Postgres password with special character (?)

Fixed the issue where Insight Advisor Chat is not working when having a Postgres password with a special character (?)

QB-6408

Master dimension description not displaying

Information about master items was not displayed when either measures (filterpane) or dimensions were not present.

QB-6436

Introduced “Retry Timeout” for Google BigQuery

Introduced new parameter “Retry Timeout” for Google BigQuery which is the length of time, in seconds, for which the connector retries a failed API call before timing out.

QB-6464

Fix keyboard accessibility on context menu in embed sheet and single object

Fix shift+F10 keyboard accessibility on the context menu in embed sheet and single object.

QB-6471

Map point layer images failing in mashups on network

This bug fixes an issue where a GeoMapChart with Point Layer images would fail to load Point Layer images when used in a mashup over a network.

QB-6517

Total stack label

Add total stack label when it is zero.

QB-6518

Stepped version of libxml2 to 2.9.12

Stepped version of libxml2 to ver 2.9.12 (contains important security fixes).

QB-6521

Word cloud chart size

Ignore rendering word cloud chart when its size is very small.

QB-6532

Copy-pasted images in Text & Image object pointing to old app when app is cloned

Previously, when copy-pasting images we did not create a new ID for the markup holding the image, which resulted in the image pointing to the previous app’s image when the app was cloned. In addition, the URL was double-encoded in this case which has now been fixed.

QB-6548

Italian zip codes

Next version of LocationDB (2108) is updated with new Italian zipcodes

QB-6559

Preventing selections when updating a calculated field

Since calculated dimensions are not equivalent to fields, selections wont work the same. When making selections in a field, rows are never removed, while that might be the case for calculated dimensions. To ensure that that a row still exists before selecting it, the listbox will now wait until it is updated from previous selections.

QB-6612

Dimension expressions could mix up field names differing only by whitespaces

When generating fields-on-the-fly for dimension expression, a canonized form of the expression is used. The canonization could strip whitespaces out from invalid expressions in such a way that the expression became valid due to an unquoted (invalid) field reference in the canonized form matched an unintended field. The canonization will now recognize this and leave a canonical whitespace in.

QB-6615

Fix printing service start/stop error when certificates are missing

If the required Qlik client and server certificates were missing, the printing service would hang when stopping.
This release fixes these start and stop service issues when the certificates are missing.

QB-6619

Loss of application changes was possible when auto save operations took time

Engine auto-saves all user edits continuously, but also when a session is closed.
Sometimes, there can be delays in the auto-save operation because of overall load either on the Qlik software or on database and file systems.
A software error made it possible for an intermittent delay in the auto-save operation on session close to affect a newly opened session for the same user on the same app in such a way that the newly opened session would never be auto-saved. This situation could occur on a web browser refresh or any kind of network issue that led to rapid closure and re-establishment of the websocket connection from Qlik Sense client to Engine.

QB-6645

Loading JSON string values did not use correct code page

Loading JSON data did not use a unicode code page by default, and additionally did not pick up an explicitly given code page, breaking all non-ASCII string values.
UTF-8 is now used by default, and a code page specifically given in the load statement is now applied.

QB-6743

Extensions post-bundle installer recreates default extensions on every restart of the Qlik Sense Repository service.

The version numbering system was changed to accommodate patch deliveries which led to mismatch with old version numbers and thus these extensions were always freshly installed. This would result in the removal of all the associated entities, for example custom security rules created for those extensions.

QB-6763

qlik.getGlobal() call throws EventEmitter memory leak errors

Previously, `qlik.getGlobal()` when used in a 3rd party extension within Qlik Sense Dashboard was throwing EventEmitter memory leaks warnings in the console.
The fix re-uses the already created old rpc-session instance if available, so it avoids re-registering the session listeners and fixes the memory leaks warning.

QB-6779

Cancel/Confirm button is invisible for filter pane in a container

Cancel/Confirm button is now visible for filter pane in a container

QB-6819

Default layout is not applied when using bookmarks containing layout state

When using bookmarks containing the layout state it does not apply the default layout on the objects. This issue is fixed, however with the following limitations. It will only work on newly created bookmarks and on the current sheet.

QB-6828

A Denied Access dialog appear after switching between sheets or another user access the app.

When you switch between sheets or another user access the app you get a Denied Access dialog. This happens only when you have a container object in your app.

QB-6839

Removing redundant property from KPI

There was a property on the KPI we were not using anymore. This caused the KPI to crash if you were using measure expression formatting on the second measure.

QB-6847

Empty value on activeTab patch causes error

Empty value on activeTab property causes invalid visualization error on a container object.

QB-6867

Resolved timing issue that could lead to user enumeration

When using Windows NTLM as the authentication provider, the error response time for a invalid username was measurably different to that of a valid username. This could be used to allow somebody with access to the system to determine whether a given username was valid. The response times are now the same.

QB-6870

OIDC authentication fails when no prefix is used

OIDC authentication failed when using a virtual proxy with no prefix. This was caused due to an extra slash added in the authentication URL. This has now been fixed - OIDC authentication works with or without prefix.

QB-6882

When searching for value and hit enter, without waiting for the search to complete, the search clears the value from the selection

Confirming the search query is throttled to make sure we do not call engine search during typing the search query. This fix will make sure the correct search query is confirmed when pressing the enter key

QB-6897

Corrected wrong translations in Insight Advisor

Dutch translations in the Help us learn section in Insight Advisor had a typo corrected.

QB-6901

Fast selections in a child in a container cannot be made

The container object is not in selections but its child object is. This did not allow to make all the multiple selections that are performed if they are made fast enough.

QB-6909

Connector fails with datatype “Longtext”

Connector fails on a select dialog if “longtext” data type is used. The bug is fixed now.

QB-6955

Remove deleted master items from qvf file

Master items (dimension and measure) were deleted from an app and the app was published and replaced. When the published app (QVF file) was copied from the persistent folder and imported, the QVF file still contained the master items that were supposed to be deleted.

QB-6958

Apps are now presented in all supported languages.

Fixed a problem where an app is presented in English even though the device is using a supported non-English language.

QB-6962

Remove deleted master items from qvf file

Master items (dimension and measure) were deleted from an app and the app was published and replaced. When the published app (QVF file) was copied from the persistent folder and imported, the QVF file still contained the master items that were supposed to be deleted.

QB-6992

Loss of application changes after app had been opened without data and reloaded in Data load editor

Loss of application edits was possible when a user session against an app had changed between open modes “with data” versus "without data".
This happened if an end user would open an app without data and then reload the app from the Data load editor.

QB-6995

OIDC authentication fails when using custom Qlik Proxy port

OIDC authentication did not work when Qlik Proxy port was set to a port other than 443 (default port). This has been fixed now, and OIDC authentication works when using custom Qlik Proxy port.

QB-7042

Excel export timeout works

The ExportTimeLimitSec setting now have the desired effect.

QB-7167

Filterpane in mashup showed no scroll bar

Using filterpanes in mashups with a large number of fields incorrectly showed the … button instead of scrolling.

QB-7169

Table inside a container sometimes does not show values

Table inside a container sometimes does not show values.

QB-7208/QB-7705

Qlik Sense used a version of log4net with known vulnerabilities.

Log4net has been updated from version 2.0.8 to 2.0.12 in affected components. It has not been updated for Qlik Sense Logging Service due to its ongoing deprecation.

QB-7218

Introduce limits on which HTML tags that the PDF renderer is permitted to process

Additional input validation has been added to the API for PDF rendering. This is to help ensure that the rendering engine does not attempt to access network resources that it should not need to.

QB-7255

Long expressions move info panel off the bottom of the expression editor

Addressed issue where long expressions moved info panel off the bottom of the modal expression editor dialog.

QB-7262

Installer prompts for choosing database superuser password when upgrading

When upgrading from older releases of Qlik Sense with bundled PostgreSQL 9.6, installer would prompt user to choose a database superuser password, instead of asking to provide password already set during the initial installation.

QB-7336

Fix for the default tls version for nl-app-search

The default version of TLS used in previous releases was 1.1 which could be changed using a parameter. This fix sets the default version version of TLS in nl-app-search to 1.2

QB-7413

OIDC attributes not using the Qlik Sense attribute mapping

After authenticating with OIDC, attributes persisted in the database were not properly mapped to Qlik Sense attributes.

QB-7474

Performance improvement to ConvertToLocalTime function

Significant performance and stability improvements to the ConvertToLocalTime function.

QB-7705

Qlik Sense used a version of log4net with known vulnerabilities.

Log4net version has been updated from 2.0.8 to 2.0.12.

QB-7962

When AutoCalendar is enabled, Insight Advisor doesn’t see filters and attributes

Previously, actual field names with periods and derived field names presented an ambiguity to Insight Advisor. Now, the fix identifies the concrete field name as the string which precedes the base calendar period generated by AutoCalendar.

SHEND-186

Security filter result caching available for SharedContent resource

Results of rule engine’s evaluation of security rules using SharedContent as resource filter are now cached. This cache exists in Qlik Sense Repository Service’s memory. Using this cache avoids using the rule engine and will result in performance benefits when repeatedly accessing above resource. This improvement can be disabled by modifying following key in the Repository.exe.config file, by default located in: "C:\Program Files\Qlik\Sense\Repository", followed by a restart of the Qlik Sense Repository Service:

<add key="UseSecurityCacheForSharedContent" value="true" />

SHEND-567

Improvements to Search feature in the Hub

With a large number of applications in the Hub, the performance of the Search feature could be significantly impaired. This functionality has now been improved but for this release it is by default disabled. It can be enabled by adding a corresponding capability flag in C:\Program Files\Qlik\Sense\CapabilityService\capabilities.json file, in example:

{"contentHash":"2ae4a99c9f17ab76e1eeb27bc4211874",

"originalClassName":"FeatureToggle","flag":

"HUB_OPTIMIZED_SEARCH","enabled":true}

New search algorithm relies on the results from /hublist/myspace request evaluated upon accessing the Hub space. It guarantees significant improvement in performance, provided the aforementioned API request has completed before the first search is made. It is also important to note that no more than 50 apps are displayed in the search results, event if there are more hits returned from the query.

SHEND-614

Enable configuration of server timeout for duplicating large applications

Duplicating large application in the Hub intermittently would throw an “App could not be duplicated.” error and result in two copies of the app. This was caused by a hard-coded server request timeout after which retry attempt was automatically triggered. This is now fixed by exposing the timeout value for configuration. If not defined, defaults to 10 minutes (600000 milliseconds). Configured via C:\Program Files\Qlik\Sense\ServiceDispatcher\services.conf file:

[globals]
servReqTimeOut=600000
(…)
[broker.parameters]
–server-req-timeout=${servReqTimeOut}
(…)
[hub.parameters]
–server-req-timeout=${servReqTimeOut}
(…)

SHEND-663

Updated NodeJS version

The November 2021 version of Qlik Sense updates the version of NodeJS to address several security vulnerabilities announced by the NodeJS project.

Known issues and limitations

The following issues and limitations were identified at release time. The list is not comprehensive; it does however list all known major issues and limitations.

Clients

  • Third-party extensions are currently not supported on mobile devices, and the Qlik Trusted Extension Developer program does not accredit extensions for use on mobile devices. Depending on individual device specifications, mobile OS, and size of the Qlik Sense app, items generated using a third-party extension might fail to be visualized properly on a mobile device.

  • When consuming Qlik Sense apps using Microsoft Edge browser, touch screen mode is activated by default even when it is run on a non-touch device. Workaround: turn ‘touch screen mode’ off from the navigation menu.

  • When consuming Qlik Sense apps using Microsoft browser on touch/hybrid devices, the long-press action does not work. This limitation prevents from accessing functions such as an object’s context menu, which on touch mode requires a long-press. This is a Microsoft Edge’s issue.
    Workaround: If using a hybrid device, turn the touch mode off and turn it back on again.

  • Export as Anonymous does not work for mashups deployed in a domain that is different from the domain in which Qlik Sense is installed. Export only works for Anonymous if the mashup is deployed in the same domain as Qlik Sense.

  • When using the new “Load Extension” syntax in the load script, the Data load editor syntax completion does not work well after the keyword “Extension” when trying to write the call to an SSE function (AAI function). Nevertheless, the script executes correctly.

  • Legend does not show dimension values that are after row number 3000.

  • Internet Explorer supports a maximum of six web socket connections.
    Workaround: See https://msdn.microsoft.com/library/ee330736(v=vs.85).aspx

  • Exporting a story to PowerPoint limitations:

  1. Titles are not rescaled as HTML, font settings are not yet exported.
  2. Storytelling effects are not applied.
  3. Exported charts may show fixed scroll bars, depending on the export resolution.
  • It is not possible to open the context menu of an orc chart on a touch device.

  • When you choose to view data in the context menu in a Dynamic Chart and make a new selection in the app, you need to refresh the browser for the chart to be displayed again.

Dynamic views

  • Dynamic views that are deleted from one app are also deleted from every other app that was using the same view. There is no work-around for this issue other than to avoid deleting views that may already be in use by one or more other apps because of having made copies of these apps.
  • When creating a new dynamic view in the assets panel, if there are one or more existing dynamic views, the dropdown menu item does not automatically change to show the charts of the newly created dynamic view. The user must click on the dropdown menu to choose the newly created view.
  • The data for a dynamic view is automatically refreshed (i.e. re-queried from source) whenever a user enters a sheet containing any charts for that view. The same occurs when entering and then returning from the global selections panel as well as when adding a new chart for the same view. To prevent triggering this automatic refresh behavior, users should refrain from performing these actions on the base app.
  • The view of a dynamic chart is cleared and overlaid with a message indicating a view constraint violation condition whenever the user changes the selection state of the base app such that the view’s constraints are violated. Users should refrain from altering the selection state of the base app at least until they are finished making use of the data in any one of the dynamic view charts.
  • The right-click “Go to source” option on a Snapshot slide for a dynamic chart does not select the actual dynamic chart when changing the view to the base app sheet.
  • Chart settings changes made to dynamic view charts using the Exploration menu are lost following refresh operation of the view.
  • Dynamic Views currently does not support the Trellis extension.

Managing a Qlik Sense site

  • The QMC Custom Property Edit page can currently handle a limited number of custom properties. If you want to edit custom property values in the QMC, we recommend keeping the amount of custom property values to a maximum of 500. If you want to just apply values without modifying them, the QMC can handle up to 10.000 custom property values.

  • The Qlik Logging Service handles communication outages with PostgreSQL by retrying three times to establish the connection and displays an error if unsuccessful. Communication outages with PostgreSQL can occur for a number of reasons and are not always recoverable in the limited time window of three tries.

  • With the current architecture it is not possible, using security rule on HubSection_* resource, to hide “Open hub” link from the “Navigation” menu when accessing app as an anonymous user.
    Workaround: Use reverse proxy configured to redirect “Open hub” link to a preferable landing site

  • When removing app objects from an application via QMC’s interface, deleted objects are not removed from that application’s binary file stored on the file system.

  • Logging utility does not support Postgres 12. The utility uses queries that are not compatible with Postgres 12.

  • Unable to hide “Open hub” link for anonymous user by using security rule. With the current architecture it is not possible, using security rule on HubSection_* resource, to hide “Open hub” link from the “Navigation” menu when accessing app as an anonymous user. Suggested workaround is to use reverse proxy configured to redirect “Open hub” to a preferable landing site.

  • Windows service Qlik Engine cannot be started on a node where Engine service is disabled through QMC Description: Every time Windows restarts for that node, the Engine service will fail to start up and throw an error in Windows event logs. This can be prevented by temporary disable the Engine service in Windows service manager.

  • Data connection passwords containing special characters are not properly encoded when updated via Qlik Management Console. Description: Data connection passwords containing special characters (such as "=", "%", or “;”) are not correctly encoded when updated via the Qlik Management Console (QMC). This causes authentication errors when trying to connect to specific data sources, which could cause reload tasks to fail.
    The simplest workaround is to use the data load editor to update the password.
    Please note that once the password is updated, the name of the data connection is automatically appended with "(domain_userId)". This can be adjusted later on via the QMC.

Qlik Sense Desktop

  • Sorting by expression in a Pivot table may not work as expected.
  • Qlik Sense Desktop can play WebM and Ogg, but not MP4 files due to limitations in Chromium.

Connectors

  • REST connector: The Next token pagination option does not work when the pagination token has the same value for each page.
  • For connectors in the ODBC Connectors Package, only the data types listed as supported in the online help have been verified to work correctly in the Preview and Script editor. However, ODBC Connector Package does not prevent the loading of other data types, so in some cases unsupported data types can be loaded with the load script.
  • ODBC connector: If the user name on the Microsoft Windows system running Qlik Sense Desktop contains letters that are not English alphanumeric characters, database connectors in the ODBC Connector Package do not work properly. Workaround: Change the Windows system locale to the match the character set that contains the characters used in the user name. For example, if the System locale on the system running Qlik Sense Desktop is set to English and a user name contains Swedish characters, the System locale setting must be changed to Swedish for the ODBC connector to work properly.
  • Qlik Salesforce Connector does not support PK chunking on sharing objects. PK chunking is supported only on parent objects.
  • Apache Phoenix connector does not support non-latin characters in metadata.
    Connector may return a corrupted data or unpredictable query results if running a query with non-latin characters in metadata: table names, column names, aliases, etc.

Cloud deployments and Multi-Cloud

  • When downloading a in cloud environments (Qlik Sense Enterprise on Cloud Services and Qlik Sense Enterprise on Kubernetes), expanded rows are not included but stay collapsed.

System requirements notes

Please refer to the online help for information about the requirements for Qlik Sense:

System requirements for Qlik Sense

Downloads

November 2021 releases

https://community.qlik.com/t5/Downloads/tkb-p/Downloads

About Qlik

Qlik is on a mission to create a data-literate world, where everyone can use data to solve their most challenging problems. Only Qlik’s end-to-end data management and analytics platform brings together all of an organization’s data from any source, enabling people at any skill level to use their curiosity to uncover new insights. Companies use Qlik to see more deeply into customer behavior, reinvent business processes, discover new revenue streams, and balance risk and reward. Qlik does business in more than 100 countries and serves over 48,000 customers around the world.

qlik.com

Related news

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

Ubuntu Security Notice USN-6491-1

Ubuntu Security Notice 6491-1 - Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:1742: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44531: A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry...

RHSA-2023:1533: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to tr...

RHSA-2023:0612: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability. * CVE-2021-44906: An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker t...

Debian Security Advisory 5326-1

Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.

RHSA-2023:0321: Red Hat Security Advisory: nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2023-0050-01

Red Hat Security Advisory 2023-0050-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2023:0050: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-24999: express: "qs" prototype poisoning causes the hang of the node process * CVE-2022-43548: nodejs: DNS rebinding in inspect via inva...

Red Hat Security Advisory 2022-9073-01

Red Hat Security Advisory 2022-9073-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2022:9073: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names * CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection * CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields * CVE-2021-44906: minimist: prototype pollution * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand fu...

Red Hat Security Advisory 2022-8832-01

Red Hat Security Advisory 2022-8832-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8833-01

Red Hat Security Advisory 2022-8833-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

RHSA-2022:8833: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

RHSA-2022:8832: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-43548: nodejs: DNS rebinding in inspect via invalid octal IP address

CVE-2022-43548: Nov 3 2022 Security Releases | Node.js

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907