CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
50.6%
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340). Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process (CVE-2020-9498). Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users (CVE-2020-11997). This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 7 | noarch | guacd | < 1.3.0-1 | guacd-1.3.0-1.mga7 |
Mageia | 7 | noarch | util-linux | < 2.33.2-1.1 | util-linux-2.33.2-1.1.mga7 |
Mageia | 7 | noarch | ossp_uuid | < 1.6.2-21.1 | ossp_uuid-1.6.2-21.1.mga7 |
bugs.mageia.org/show_bug.cgi?id=24509
bugs.mageia.org/show_bug.cgi?id=27593
bugs.mageia.org/show_bug.cgi?id=28158
lists.fedoraproject.org/archives/list/[email protected]/thread/32RWZPQ7FRP73BVKOQK27XV6TX47TT3R/
lists.fedoraproject.org/archives/list/[email protected]/thread/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/
www.openwall.com/lists/oss-security/2021/01/18/1
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
50.6%