Lucene search

ApacheCVE-2018-1340

HistoryFeb 07, 2019 - 10:29 p.m.

CVE-2018-1340

2019-02-0722:29:00

CWE-311

apache

web.nvd.nist.gov

apache guacamole

security

session token

cve-2018-1340

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

50.6%

JSON

Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HTTP requests are made to the same domain.

Affected configurations

Nvd

Vulners

Node

apacheguacamoleRange≤0.9.14

VendorProductVersionCPE
apacheguacamole*cpe:2.3:a:apache:guacamole:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	guacamole	*	cpe:2.3:a:apache:guacamole::::::::

CNA Affected

[
  {
    "product": "Apache Guacamole",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Guacamole 0.9.4 to 0.9.14"
      }
    ]
  }
]