content/security/index.html - guacamole-website - Git at Google

 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">

     <head>
     <link rel="stylesheet" href="/styles/main.css?s=1713643709">
     <link rel="icon" type="image/svg+xml" href="/images/logos/guac-classic-logo.svg"/>
     <link rel="icon" type="image/png" href="/images/logos/guac-classic-logo-64.png"/>
     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no, target-densitydpi=device-dpi"/>
     <meta charset="UTF-8"/>
     <title>Apache Guacamole™: Security Reports</title>
 </head>


     <body class="">

         <!-- Header -->
 <div id="header">
     <div class="readable-content">
         <h1><a href="/">Apache Guacamole™</a></h1>
         <ul id="navigation" class="menu">


                 <li>
                     <a href="/releases/"

                             class="releases"
                             >Release Archives</a>
                 </li>


                 <li class="dropdown">

                     <a class="dropdown-toggle "
                        href="#">Documentation</a>
                     <ul class="dropdown-menu">


                 <li>
                     <a href="/faq/"
                         >FAQ</a>
                 </li>


                 <li>
                     <a href="/api-documentation/"
                         >API / Development</a>
                 </li>


                 <li>
                     <a href="/doc/gug/"
                         >Guacamole Manual</a>
                 </li>


                     </ul>
                 </li>


                 <li class="dropdown">

                     <a class="dropdown-toggle "
                        href="#">Community</a>
                     <ul class="dropdown-menu">


                 <li>
                     <a href="/open-source/"
                         >Contributing to Guacamole</a>
                 </li>


                 <li>
                     <a href="/support/#mailing-lists"
                         >Mailing Lists</a>
                 </li>


                 <li>
                     <a href="https://issues.apache.org/jira/browse/GUACAMOLE/"
                         >Bug/Issue Tracker</a>
                 </li>


                 <li>
                     <a href="https://github.com/search?utf8=%E2%9C%93&q=repo%3Aapache%2Fguacamole-client+repo%3Aapache%2Fguacamole-server+repo%3Aapache%2Fguacamole-manual+repo%3Aapache%2Fguacamole-website&type=repositories&ref=searchresults"
                         >Source Code</a>
                 </li>


                     </ul>
                 </li>


                 <li>
                     <a href="/security/"
                         >Security Reports</a>
                 </li>


                 <li class="dropdown">

                     <a class="dropdown-toggle "
                        href="#">Support</a>
                     <ul class="dropdown-menu">


                 <li>
                     <a href="/support/#mailing-lists"
                         >Mailing Lists</a>
                 </li>


                 <li>
                     <a href="https://issues.apache.org/jira/browse/GUACAMOLE/"
                         >Bug/Issue Tracker</a>
                 </li>


                 <li>
                     <a href="/support/#commercial-support"
                         >Commercial Support</a>
                 </li>


                     </ul>
                 </li>


                 <li class="dropdown">

                     <a class="dropdown-toggle apache"
                        href="#">ASF</a>
                     <ul class="dropdown-menu">


                 <li>
                     <a href="http://www.apache.org/"
                         >ASF Homepage</a>
                 </li>


                 <li>
                     <a href="http://www.apache.org/licenses/"
                         >License</a>
                 </li>


                 <li>
                     <a href="http://www.apache.org/foundation/thanks.html"
                         >Thanks</a>
                 </li>


                 <li>
                     <a href="http://www.apache.org/foundation/sponsorship.html"
                         >Sponsorship</a>
                 </li>


                 <li>
                     <a href="http://www.apache.org/foundation/policies/conduct.html"
                         >Code of Conduct</a>
                 </li>


                     </ul>
                 </li>


         </ul>
     </div>
 </div>


         <h1 class="title">Security Reports</h1>

         <!-- Content -->
         <div class="readable-content">
             <p>This page lists all security vulnerabilities fixed in released versions of
 Apache Guacamole. Each vulnerability is listed with a description of the
 problem, its associated <a href="https://cve.mitre.org/about/faqs.html#what_is_cve_id">CVE
 number</a>, and the
 Guacamole release in which the vulnerability was fixed.</p>

 <h2 id="reporting-new-vulnerabilities">Reporting new vulnerabilities</h2>

 <p>If you believe you have discovered a security problem in Apache Guacamole,
 please follow <a href="https://en.wikipedia.org/wiki/Responsible_disclosure">responsible
 disclosure</a> practices and
 report discovered security issues privately, either to the private security
 mailing list of the <a href="https://www.apache.org/security/">ASF Security Team</a> or
 the <a href="mailto:security@guacamole.apache.org">security@guacamole.apache.org</a> mailing list, before disclosing or
 discussing the issue in a public forum.</p>

 <h2 id="vulnerabilities-in-dependencies">Vulnerabilities in dependencies</h2>

 <h3 id="not-affected-by-cve-2023-5129">Is Apache Guacamole affected by CVE-2023-5129?</h3>

 <p>No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding
 WebP images, not encoding.</p>

 <p>You would also receive updates to libwebp from your distribution as the
 library itself is not bundled within Guacamole. If using our Docker
 images, the images are automatically rebuilt nightly to bring in updates
 from the maintainer of the base image (Alpine Linux), and a pull of the
 latest would give you an updated image.</p>

 <h3 id="not-affected-by-cve-2021-44228">Is Apache Guacamole affected by CVE-2021-44228?</h3>

 <p>No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses
 <a href="http://logback.qos.ch/">Logback</a> as its logging backend, not Log4j.</p>

 <h2 id="fixed-in-apache-guacamole-154">Fixed in Apache Guacamole 1.5.4</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2023-43826">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43826">CVE-2023-43826</a>:
                 Integer overflow in handling of VNC image buffers
             </h3>

             <p>Apache Guacamole 1.5.3 and older do not consistently ensure that values
 received from a VNC server will not result in integer overflow. If a user
 connects to a malicious or compromised VNC server, specially crafted data could
 result in memory corruption, possibly allowing arbitrary code to be executed
 with the privileges of the running guacd process.</p>


             <p>Acknowledgements: We would like to thank Joseph Surin (Elttam) and Matt Jones (Elttam) for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-apache-guacamole-152">Fixed in Apache Guacamole 1.5.2</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2023-30575">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30575">CVE-2023-30575</a>:
                 Incorrect calculation of Guacamole protocol element lengths
             </h3>

             <p>Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of
 instruction elements sent during the Guacamole protocol handshake, potentially
 allowing an attacker to inject Guacamole instructions during the handshake
 through specially-crafted data.</p>


             <p>Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.</p>

         </li>

         <li>
             <h3 id="CVE-2023-30576">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30576">CVE-2023-30576</a>:
                 Use-after-free in handling of RDP audio input buffer
             </h3>

             <p>Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP
 audio input buffer. Depending on timing, this may allow an attacker to execute
 arbitrary code with the privileges of the guacd process.</p>


             <p>Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-apache-guacamole-140">Fixed in Apache Guacamole 1.4.0</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2021-43999">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999">CVE-2021-43999</a>:
                 Improper validation of SAML responses
             </h3>

             <p>Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received
 from a SAML identity provider. If SAML support is enabled, this may allow a
 malicious user to assume the identity of another Guacamole user.</p>


             <p>Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting this issue.</p>

         </li>

         <li>
             <h3 id="CVE-2021-41767">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767">CVE-2021-41767</a>:
                 Private tunnel identifier may be included in the non-private details of active connections
             </h3>

             <p>Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel
 identifier in the non-private details of some REST responses. This may allow an
 authenticated user who already has permission to access a particular connection
 to read from or interact with another user’s active use of that same
 connection.</p>


             <p>Acknowledgements: We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-apache-guacamole-130">Fixed in Apache Guacamole 1.3.0</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2020-11997">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997">CVE-2020-11997</a>:
                 Inconsistent restriction of connection history visibility
             </h3>

             <p>Apache Guacamole 1.2.0 and older do not consistently restrict access to
 connection history based on user visibility. If multiple users share access to
 the same connection, those users may be able to see which other users have
 accessed that connection, as well as the IP addresses from which that
 connection was accessed, even if those users do not otherwise have permission
 to see other users.</p>


             <p>Acknowledgements: We would like to thank William Le Berre (Synetis) for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-apache-guacamole-120">Fixed in Apache Guacamole 1.2.0</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2020-9498">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498">CVE-2020-9498</a>:
                 Dangling pointer in RDP static virtual channel handling
             </h3>

             <p>Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing
 data received via RDP static virtual channels. If a user connects to a
 malicious or compromised RDP server, a series of specially-crafted PDUs could
 result in memory corruption, possibly allowing arbitrary code to be executed
 with the privileges of the running guacd process.</p>


             <p>Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.</p>

         </li>

         <li>
             <h3 id="CVE-2020-9497">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497">CVE-2020-9497</a>:
                 Improper input validation of RDP static virtual channels
             </h3>

             <p>Apache Guacamole 1.1.0 and older do not properly validate data received from
 RDP servers via static virtual channels. If a user connects to a malicious or
 compromised RDP server, specially-crafted PDUs could result in disclosure of
 information within the memory of the guacd process handling the connection.</p>


             <p>Acknowledgements: We would like to thank GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-apache-guacamole-100">Fixed in Apache Guacamole 1.0.0</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2018-1340">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340">CVE-2018-1340</a>:
                 Secure flag missing from session cookie
             </h3>

             <p>Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the
 user’s session token. This cookie lacked the “secure” flag, which could allow
 an attacker eavesdropping on the network to intercept the user’s session token
 if unencrypted HTTP requests are made to the same domain.</p>


             <p>Acknowledgements: We would like to thank Ross Golder for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-guacamole-099-pre-apache-release">Fixed in Guacamole 0.9.9 (pre-Apache release)</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2016-1566">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566">CVE-2016-1566</a>:
                 Stored cross-site scripting (XSS) in file browser
             </h3>

             <p>A cross-site scripting (XSS) vulnerability was discovered through which files
 with specially-crafted filenames could lead to JavaScript execution if file
 transfer is enabled to a location which is shared by multiple users, and the
 filename is displayed within the file browser located within the Guacamole
 menu.</p>


             <p>Acknowledgements: We would like to thank Niv Levy for reporting this issue.</p>

         </li>

 </ul>

 <h2 id="fixed-in-guacamole-063-pre-apache-release">Fixed in Guacamole 0.6.3 (pre-Apache release)</h2>
 <ul class="cve-list">

         <li>
             <h3 id="CVE-2012-4415">
                 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4415">CVE-2012-4415</a>:
                 Buffer overflow in guac_client_plugin_open()
             </h3>

             <p>A stack-based buffer overflow vulnerability was discovered in the
 <code class="language-plaintext highlighter-rouge">guac_client_plugin_open()</code> function in libguac in Guacamole before 0.6.3
 which could allow remote attackers to cause a denial of service (crash) or
 execute arbitrary code via a long protocol name.</p>


             <p>Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting this issue.</p>

         </li>

 </ul>


         </div>

         <!-- Footer -->
 <div id="footer">
     <div class="readable-content">

         <!-- Copyrights -->
         <p class="copyright">
             Copyright &copy; 2024 <a href="http://www.apache.org/">The Apache
                 Software Foundation</a>, Licensed under the <a
             href="http://www.apache.org/licenses/LICENSE-2.0">Apache License,
             Version 2.0</a>.
         </p>

         <!-- Trademarks -->
         <p class="trademarks">
             Apache Guacamole, Guacamole, Apache, the Apache feather logo, and the
             Apache Guacamole project logo are trademarks of The Apache Software
             Foundation.
         </p>

     </div>
 </div>


         <!-- jQuery -->
         <script src="/scripts/jquery.min.js" type="text/javascript"></script>

         <!-- Dropdown toggle -->
         <script src="/scripts/dropdown.js" type="text/javascript"></script>

     </body>
 </html>
	<!DOCTYPE html>
	<html xmlns="http://www.w3.org/1999/xhtml">

	<head>
	<link rel="stylesheet" href="/styles/main.css?s=1713643709">
	<link rel="icon" type="image/svg+xml" href="/images/logos/guac-classic-logo.svg"/>
	<link rel="icon" type="image/png" href="/images/logos/guac-classic-logo-64.png"/>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no, target-densitydpi=device-dpi"/>
	<meta charset="UTF-8"/>
	<title>Apache Guacamole™: Security Reports</title>
	</head>


	<body class="">

	<!-- Header -->
	<div id="header">
	<div class="readable-content">
	<h1><a href="/">Apache Guacamole™</a></h1>
	<ul id="navigation" class="menu">












	<li>
	<a href="/releases/"

	class="releases"
	>Release Archives</a>
	</li>














	<li class="dropdown">

	<a class="dropdown-toggle "
	href="#">Documentation</a>
	<ul class="dropdown-menu">









	<li>
	<a href="/faq/"
	>FAQ</a>
	</li>






































	<li>
	<a href="/api-documentation/"
	>API / Development</a>
	</li>





























	<li>
	<a href="/doc/gug/"
	>Guacamole Manual</a>
	</li>





	</ul>
	</li>











	<li class="dropdown">

	<a class="dropdown-toggle "
	href="#">Community</a>
	<ul class="dropdown-menu">






	<li>
	<a href="/open-source/"
	>Contributing to Guacamole</a>
	</li>





























	<li>
	<a href="/support/#mailing-lists"
	>Mailing Lists</a>
	</li>














	<li>
	<a href="https://issues.apache.org/jira/browse/GUACAMOLE/"
	>Bug/Issue Tracker</a>
	</li>




















	<li>
	<a href="https://github.com/search?utf8=%E2%9C%93&q=repo%3Aapache%2Fguacamole-client+repo%3Aapache%2Fguacamole-server+repo%3Aapache%2Fguacamole-manual+repo%3Aapache%2Fguacamole-website&type=repositories&ref=searchresults"
	>Source Code</a>
	</li>

















	</ul>
	</li>























	<li>
	<a href="/security/"
	>Security Reports</a>
	</li>

















	<li class="dropdown">

	<a class="dropdown-toggle "
	href="#">Support</a>
	<ul class="dropdown-menu">















	<li>
	<a href="/support/#mailing-lists"
	>Mailing Lists</a>
	</li>























	<li>
	<a href="https://issues.apache.org/jira/browse/GUACAMOLE/"
	>Bug/Issue Tracker</a>
	</li>




















	<li>
	<a href="/support/#commercial-support"
	>Commercial Support</a>
	</li>























	</ul>
	</li>








	<li class="dropdown">

	<a class="dropdown-toggle apache"
	href="#">ASF</a>
	<ul class="dropdown-menu">


















	<li>
	<a href="http://www.apache.org/"
	>ASF Homepage</a>
	</li>











	<li>
	<a href="http://www.apache.org/licenses/"
	>License</a>
	</li>

















	<li>
	<a href="http://www.apache.org/foundation/thanks.html"
	>Thanks</a>
	</li>




















	<li>
	<a href="http://www.apache.org/foundation/sponsorship.html"
	>Sponsorship</a>
	</li>

















	<li>
	<a href="http://www.apache.org/foundation/policies/conduct.html"
	>Code of Conduct</a>
	</li>








	</ul>
	</li>











	</ul>
	</div>
	</div>


	<h1 class="title">Security Reports</h1>

	<!-- Content -->
	<div class="readable-content">
	<p>This page lists all security vulnerabilities fixed in released versions of
	Apache Guacamole. Each vulnerability is listed with a description of the
	problem, its associated <a href="https://cve.mitre.org/about/faqs.html#what_is_cve_id">CVE
	number</a>, and the
	Guacamole release in which the vulnerability was fixed.</p>

	<h2 id="reporting-new-vulnerabilities">Reporting new vulnerabilities</h2>

	<p>If you believe you have discovered a security problem in Apache Guacamole,
	please follow <a href="https://en.wikipedia.org/wiki/Responsible_disclosure">responsible
	disclosure</a> practices and
	report discovered security issues privately, either to the private security
	mailing list of the <a href="https://www.apache.org/security/">ASF Security Team</a> or
	the <a href="mailto:security@guacamole.apache.org">security@guacamole.apache.org</a> mailing list, before disclosing or
	discussing the issue in a public forum.</p>

	<h2 id="vulnerabilities-in-dependencies">Vulnerabilities in dependencies</h2>

	<h3 id="not-affected-by-cve-2023-5129">Is Apache Guacamole affected by CVE-2023-5129?</h3>

	<p>No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding
	WebP images, not encoding.</p>

	<p>You would also receive updates to libwebp from your distribution as the
	library itself is not bundled within Guacamole. If using our Docker
	images, the images are automatically rebuilt nightly to bring in updates
	from the maintainer of the base image (Alpine Linux), and a pull of the
	latest would give you an updated image.</p>

	<h3 id="not-affected-by-cve-2021-44228">Is Apache Guacamole affected by CVE-2021-44228?</h3>

	<p>No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses
	<a href="http://logback.qos.ch/">Logback</a> as its logging backend, not Log4j.</p>

	<h2 id="fixed-in-apache-guacamole-154">Fixed in Apache Guacamole 1.5.4</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2023-43826">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43826">CVE-2023-43826</a>:
	Integer overflow in handling of VNC image buffers
	</h3>

	<p>Apache Guacamole 1.5.3 and older do not consistently ensure that values
	received from a VNC server will not result in integer overflow. If a user
	connects to a malicious or compromised VNC server, specially crafted data could
	result in memory corruption, possibly allowing arbitrary code to be executed
	with the privileges of the running guacd process.</p>



	<p>Acknowledgements: We would like to thank Joseph Surin (Elttam) and Matt Jones (Elttam) for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-apache-guacamole-152">Fixed in Apache Guacamole 1.5.2</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2023-30575">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30575">CVE-2023-30575</a>:
	Incorrect calculation of Guacamole protocol element lengths
	</h3>

	<p>Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of
	instruction elements sent during the Guacamole protocol handshake, potentially
	allowing an attacker to inject Guacamole instructions during the handshake
	through specially-crafted data.</p>



	<p>Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.</p>

	</li>

	<li>
	<h3 id="CVE-2023-30576">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30576">CVE-2023-30576</a>:
	Use-after-free in handling of RDP audio input buffer
	</h3>

	<p>Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP
	audio input buffer. Depending on timing, this may allow an attacker to execute
	arbitrary code with the privileges of the guacd process.</p>



	<p>Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-apache-guacamole-140">Fixed in Apache Guacamole 1.4.0</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2021-43999">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999">CVE-2021-43999</a>:
	Improper validation of SAML responses
	</h3>

	<p>Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received
	from a SAML identity provider. If SAML support is enabled, this may allow a
	malicious user to assume the identity of another Guacamole user.</p>



	<p>Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting this issue.</p>

	</li>

	<li>
	<h3 id="CVE-2021-41767">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767">CVE-2021-41767</a>:
	Private tunnel identifier may be included in the non-private details of active connections
	</h3>

	<p>Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel
	identifier in the non-private details of some REST responses. This may allow an
	authenticated user who already has permission to access a particular connection
	to read from or interact with another user’s active use of that same
	connection.</p>



	<p>Acknowledgements: We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-apache-guacamole-130">Fixed in Apache Guacamole 1.3.0</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2020-11997">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997">CVE-2020-11997</a>:
	Inconsistent restriction of connection history visibility
	</h3>

	<p>Apache Guacamole 1.2.0 and older do not consistently restrict access to
	connection history based on user visibility. If multiple users share access to
	the same connection, those users may be able to see which other users have
	accessed that connection, as well as the IP addresses from which that
	connection was accessed, even if those users do not otherwise have permission
	to see other users.</p>



	<p>Acknowledgements: We would like to thank William Le Berre (Synetis) for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-apache-guacamole-120">Fixed in Apache Guacamole 1.2.0</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2020-9498">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498">CVE-2020-9498</a>:
	Dangling pointer in RDP static virtual channel handling
	</h3>

	<p>Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing
	data received via RDP static virtual channels. If a user connects to a
	malicious or compromised RDP server, a series of specially-crafted PDUs could
	result in memory corruption, possibly allowing arbitrary code to be executed
	with the privileges of the running guacd process.</p>



	<p>Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.</p>

	</li>

	<li>
	<h3 id="CVE-2020-9497">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497">CVE-2020-9497</a>:
	Improper input validation of RDP static virtual channels
	</h3>

	<p>Apache Guacamole 1.1.0 and older do not properly validate data received from
	RDP servers via static virtual channels. If a user connects to a malicious or
	compromised RDP server, specially-crafted PDUs could result in disclosure of
	information within the memory of the guacd process handling the connection.</p>



	<p>Acknowledgements: We would like to thank GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-apache-guacamole-100">Fixed in Apache Guacamole 1.0.0</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2018-1340">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340">CVE-2018-1340</a>:
	Secure flag missing from session cookie
	</h3>

	<p>Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the
	user’s session token. This cookie lacked the “secure” flag, which could allow
	an attacker eavesdropping on the network to intercept the user’s session token
	if unencrypted HTTP requests are made to the same domain.</p>



	<p>Acknowledgements: We would like to thank Ross Golder for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-guacamole-099-pre-apache-release">Fixed in Guacamole 0.9.9 (pre-Apache release)</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2016-1566">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566">CVE-2016-1566</a>:
	Stored cross-site scripting (XSS) in file browser
	</h3>

	<p>A cross-site scripting (XSS) vulnerability was discovered through which files
	with specially-crafted filenames could lead to JavaScript execution if file
	transfer is enabled to a location which is shared by multiple users, and the
	filename is displayed within the file browser located within the Guacamole
	menu.</p>



	<p>Acknowledgements: We would like to thank Niv Levy for reporting this issue.</p>

	</li>

	</ul>

	<h2 id="fixed-in-guacamole-063-pre-apache-release">Fixed in Guacamole 0.6.3 (pre-Apache release)</h2>
	<ul class="cve-list">

	<li>
	<h3 id="CVE-2012-4415">
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4415">CVE-2012-4415</a>:
	Buffer overflow in guac_client_plugin_open()
	</h3>

	<p>A stack-based buffer overflow vulnerability was discovered in the
	<code class="language-plaintext highlighter-rouge">guac_client_plugin_open()</code> function in libguac in Guacamole before 0.6.3
	which could allow remote attackers to cause a denial of service (crash) or
	execute arbitrary code via a long protocol name.</p>



	<p>Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting this issue.</p>

	</li>

	</ul>




	</div>

	<!-- Footer -->
	<div id="footer">
	<div class="readable-content">

	<!-- Copyrights -->
	<p class="copyright">
	Copyright © 2024 <a href="http://www.apache.org/">The Apache
	Software Foundation</a>, Licensed under the <a
	href="http://www.apache.org/licenses/LICENSE-2.0">Apache License,
	Version 2.0</a>.
	</p>

	<!-- Trademarks -->
	<p class="trademarks">
	Apache Guacamole, Guacamole, Apache, the Apache feather logo, and the
	Apache Guacamole project logo are trademarks of The Apache Software
	Foundation.
	</p>

	</div>
	</div>


	<!-- jQuery -->
	<script src="/scripts/jquery.min.js" type="text/javascript"></script>

	<!-- Dropdown toggle -->
	<script src="/scripts/dropdown.js" type="text/javascript"></script>

	</body>
	</html>