RSS   Vulnerabilities for 'Guacamole'   RSS

2022-01-11
 
CVE-2021-41767

CWE-200
 

 
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

 
 
CVE-2021-43999

CWE-287
 

 
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

 
2021-01-19
 
CVE-2020-11997

CWE-276
 

 
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.

 
2020-07-02
 
CVE-2020-9498

CWE-119
 

 
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.

 
 
CVE-2020-9497

CWE-200
 

 
Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.

 
2019-02-07
 
CVE-2018-1340

CWE-311
 

 
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

 
2018-01-18
 
CVE-2017-3158

CWE-362
 

 
A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the remaining data being written beyond the end of a statically-allocated buffer.

 

 >>> Vendor: Apache 247 Products
Http server
Tomcat
Jserv
Mod python
Traffic server
Openoffice
Cocoon
Spamassassin
Subversion
Jspwiki
Xerces-c++
James
Mod auth radius
Coyote http connector
Mod imap
Struts
Derby
Libapreq2
Jetspeed
Geronimo
FLEX
Log4net
Open for business project
Opentaps
Apache http server
Tomcat jk web server connector
Apache test
Mod perl
AXIS
Myfaces tomahawk
Storm
Jakarta slide
Openoffice.org
Mod jk
Apache webserver
Roller
Apr-util
Jackrabbit
Tiles
Portable runtime
APR
SOLR
QPID
Couchdb
Axis2
Activemq
Myfaces
CXF
Archiva
Shiro
Mod fcgid
Libcloud
Continuum
Httpclient
Rampart/c
Wicket
Apache commons daemon
Http server2.0a1
Http server2.0a2
Http server2.0a3
Http server2.0a4
Http server2.0a5
Http server2.0a6
Http server2.0a7
Http server2.0a8
Http server2.0a9
Hadoop
Commons-compress
Org.apache.sling.servlets.post
POI
Guacamole
Cloudstack
Commons-httpclient
Commons fileupload
RAVE
Maven
Openjpa
Struts2-showcase
Xml security for c++
Xml security for java
Camel
Shindig
Sling auth core component
Sling
Mod dontdothat
Mod dav svn
Cordova
Xalan-java
Zookeeper
Syncope
Harmony
Hbase
Httpasyncclient
Ofbiz
Apache axis2/c
Wss4j
Mod auth mellon
HIVE
Xml security
Santuario xml security for java
See all Products for Vendor Apache


Copyright 2024, cxsecurity.com

 

Back to Top