7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.2 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
50.1%
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340). Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process (CVE-2020-9498). Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users (CVE-2020-11997). This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 7 | noarch | guacd | < 1.3.0-1 | guacd-1.3.0-1.mga7 |
Mageia | 7 | noarch | util-linux | < 2.33.2-1.1 | util-linux-2.33.2-1.1.mga7 |
Mageia | 7 | noarch | ossp_uuid | < 1.6.2-21.1 | ossp_uuid-1.6.2-21.1.mga7 |
bugs.mageia.org/show_bug.cgi?id=24509
bugs.mageia.org/show_bug.cgi?id=27593
bugs.mageia.org/show_bug.cgi?id=28158
lists.fedoraproject.org/archives/list/[email protected]/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/
lists.fedoraproject.org/archives/list/[email protected]/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/
www.openwall.com/lists/oss-security/2021/01/18/1
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.2 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
50.1%