Document vulnerability CVE-2021-43999, fixed in 1.4.0.

commit: f47ef929270cb12059f7e55e61ab0a1ea637f396 [log] [tgz]
author: Michael Jumper <mjumper@apache.org> Tue Jan 11 13:29:40 2022 -0800
committer: Michael Jumper <mjumper@apache.org> Tue Jan 11 13:29:40 2022 -0800
tree: 97fe5c0c08f6de8ae079b2d9f2f6b7d96808768b
parent: 88a823eaf7aac122e8908ed29ade01b39fca5ddc [diff]
diff --git a/_security/CVE-2021-43999.md b/_security/CVE-2021-43999.md
new file mode 100644
index 0000000..0c5f239
--- /dev/null
+++ b/_security/CVE-2021-43999.md

@@ -0,0 +1,13 @@
+---
+title: Improper validation of SAML responses
+cve:   CVE-2021-43999
+fixed: 1.4.0
+---
+
+Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received
+from a SAML identity provider. If SAML support is enabled, this may allow a
+malicious user to assume the identity of another Guacamole user.
+
+Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting
+this issue.
+
commit	f47ef929270cb12059f7e55e61ab0a1ea637f396	[log] [tgz]
author	Michael Jumper <mjumper@apache.org>	Tue Jan 11 13:29:40 2022 -0800
committer	Michael Jumper <mjumper@apache.org>	Tue Jan 11 13:29:40 2022 -0800
tree	97fe5c0c08f6de8ae079b2d9f2f6b7d96808768b
parent	88a823eaf7aac122e8908ed29ade01b39fca5ddc [diff]