| <!DOCTYPE html> |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| |
| <head> |
| <link rel="stylesheet" href="/styles/main.css?s=1713643709"> |
| <link rel="icon" type="image/svg+xml" href="/images/logos/guac-classic-logo.svg"/> |
| <link rel="icon" type="image/png" href="/images/logos/guac-classic-logo-64.png"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no, target-densitydpi=device-dpi"/> |
| <meta charset="UTF-8"/> |
| <title>Apache Guacamole™: Security Reports</title> |
| </head> |
| |
| |
| <body class=""> |
| |
| <!-- Header --> |
| <div id="header"> |
| <div class="readable-content"> |
| <h1><a href="/">Apache Guacamole™</a></h1> |
| <ul id="navigation" class="menu"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/releases/" |
| |
| class="releases" |
| >Release Archives</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li class="dropdown"> |
| |
| <a class="dropdown-toggle " |
| href="#">Documentation</a> |
| <ul class="dropdown-menu"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/faq/" |
| >FAQ</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/api-documentation/" |
| >API / Development</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/doc/gug/" |
| >Guacamole Manual</a> |
| </li> |
| |
| |
| |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li class="dropdown"> |
| |
| <a class="dropdown-toggle " |
| href="#">Community</a> |
| <ul class="dropdown-menu"> |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/open-source/" |
| >Contributing to Guacamole</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/support/#mailing-lists" |
| >Mailing Lists</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="https://issues.apache.org/jira/browse/GUACAMOLE/" |
| >Bug/Issue Tracker</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="https://github.com/search?utf8=%E2%9C%93&q=repo%3Aapache%2Fguacamole-client+repo%3Aapache%2Fguacamole-server+repo%3Aapache%2Fguacamole-manual+repo%3Aapache%2Fguacamole-website&type=repositories&ref=searchresults" |
| >Source Code</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/security/" |
| >Security Reports</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li class="dropdown"> |
| |
| <a class="dropdown-toggle " |
| href="#">Support</a> |
| <ul class="dropdown-menu"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/support/#mailing-lists" |
| >Mailing Lists</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="https://issues.apache.org/jira/browse/GUACAMOLE/" |
| >Bug/Issue Tracker</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="/support/#commercial-support" |
| >Commercial Support</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| <li class="dropdown"> |
| |
| <a class="dropdown-toggle apache" |
| href="#">ASF</a> |
| <ul class="dropdown-menu"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="http://www.apache.org/" |
| >ASF Homepage</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="http://www.apache.org/licenses/" |
| >License</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="http://www.apache.org/foundation/thanks.html" |
| >Thanks</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="http://www.apache.org/foundation/sponsorship.html" |
| >Sponsorship</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li> |
| <a href="http://www.apache.org/foundation/policies/conduct.html" |
| >Code of Conduct</a> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| </ul> |
| </li> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| </ul> |
| </div> |
| </div> |
| |
| |
| <h1 class="title">Security Reports</h1> |
| |
| <!-- Content --> |
| <div class="readable-content"> |
| <p>This page lists all security vulnerabilities fixed in released versions of |
| Apache Guacamole. Each vulnerability is listed with a description of the |
| problem, its associated <a href="https://cve.mitre.org/about/faqs.html#what_is_cve_id">CVE |
| number</a>, and the |
| Guacamole release in which the vulnerability was fixed.</p> |
| |
| <h2 id="reporting-new-vulnerabilities">Reporting new vulnerabilities</h2> |
| |
| <p>If you believe you have discovered a security problem in Apache Guacamole, |
| please follow <a href="https://en.wikipedia.org/wiki/Responsible_disclosure">responsible |
| disclosure</a> practices and |
| report discovered security issues privately, either to the private security |
| mailing list of the <a href="https://www.apache.org/security/">ASF Security Team</a> or |
| the <a href="mailto:security@guacamole.apache.org">security@guacamole.apache.org</a> mailing list, before disclosing or |
| discussing the issue in a public forum.</p> |
| |
| <h2 id="vulnerabilities-in-dependencies">Vulnerabilities in dependencies</h2> |
| |
| <h3 id="not-affected-by-cve-2023-5129">Is Apache Guacamole affected by CVE-2023-5129?</h3> |
| |
| <p>No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding |
| WebP images, not encoding.</p> |
| |
| <p>You would also receive updates to libwebp from your distribution as the |
| library itself is not bundled within Guacamole. If using our Docker |
| images, the images are automatically rebuilt nightly to bring in updates |
| from the maintainer of the base image (Alpine Linux), and a pull of the |
| latest would give you an updated image.</p> |
| |
| <h3 id="not-affected-by-cve-2021-44228">Is Apache Guacamole affected by CVE-2021-44228?</h3> |
| |
| <p>No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses |
| <a href="http://logback.qos.ch/">Logback</a> as its logging backend, not Log4j.</p> |
| |
| <h2 id="fixed-in-apache-guacamole-154">Fixed in Apache Guacamole 1.5.4</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2023-43826"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43826">CVE-2023-43826</a>: |
| Integer overflow in handling of VNC image buffers |
| </h3> |
| |
| <p>Apache Guacamole 1.5.3 and older do not consistently ensure that values |
| received from a VNC server will not result in integer overflow. If a user |
| connects to a malicious or compromised VNC server, specially crafted data could |
| result in memory corruption, possibly allowing arbitrary code to be executed |
| with the privileges of the running guacd process.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Joseph Surin (Elttam) and Matt Jones (Elttam) for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-apache-guacamole-152">Fixed in Apache Guacamole 1.5.2</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2023-30575"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30575">CVE-2023-30575</a>: |
| Incorrect calculation of Guacamole protocol element lengths |
| </h3> |
| |
| <p>Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of |
| instruction elements sent during the Guacamole protocol handshake, potentially |
| allowing an attacker to inject Guacamole instructions during the handshake |
| through specially-crafted data.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.</p> |
| |
| </li> |
| |
| <li> |
| <h3 id="CVE-2023-30576"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30576">CVE-2023-30576</a>: |
| Use-after-free in handling of RDP audio input buffer |
| </h3> |
| |
| <p>Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP |
| audio input buffer. Depending on timing, this may allow an attacker to execute |
| arbitrary code with the privileges of the guacd process.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-apache-guacamole-140">Fixed in Apache Guacamole 1.4.0</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2021-43999"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999">CVE-2021-43999</a>: |
| Improper validation of SAML responses |
| </h3> |
| |
| <p>Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received |
| from a SAML identity provider. If SAML support is enabled, this may allow a |
| malicious user to assume the identity of another Guacamole user.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting this issue.</p> |
| |
| </li> |
| |
| <li> |
| <h3 id="CVE-2021-41767"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767">CVE-2021-41767</a>: |
| Private tunnel identifier may be included in the non-private details of active connections |
| </h3> |
| |
| <p>Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel |
| identifier in the non-private details of some REST responses. This may allow an |
| authenticated user who already has permission to access a particular connection |
| to read from or interact with another user’s active use of that same |
| connection.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-apache-guacamole-130">Fixed in Apache Guacamole 1.3.0</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2020-11997"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997">CVE-2020-11997</a>: |
| Inconsistent restriction of connection history visibility |
| </h3> |
| |
| <p>Apache Guacamole 1.2.0 and older do not consistently restrict access to |
| connection history based on user visibility. If multiple users share access to |
| the same connection, those users may be able to see which other users have |
| accessed that connection, as well as the IP addresses from which that |
| connection was accessed, even if those users do not otherwise have permission |
| to see other users.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank William Le Berre (Synetis) for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-apache-guacamole-120">Fixed in Apache Guacamole 1.2.0</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2020-9498"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9498">CVE-2020-9498</a>: |
| Dangling pointer in RDP static virtual channel handling |
| </h3> |
| |
| <p>Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing |
| data received via RDP static virtual channels. If a user connects to a |
| malicious or compromised RDP server, a series of specially-crafted PDUs could |
| result in memory corruption, possibly allowing arbitrary code to be executed |
| with the privileges of the running guacd process.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.</p> |
| |
| </li> |
| |
| <li> |
| <h3 id="CVE-2020-9497"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9497">CVE-2020-9497</a>: |
| Improper input validation of RDP static virtual channels |
| </h3> |
| |
| <p>Apache Guacamole 1.1.0 and older do not properly validate data received from |
| RDP servers via static virtual channels. If a user connects to a malicious or |
| compromised RDP server, specially-crafted PDUs could result in disclosure of |
| information within the memory of the guacd process handling the connection.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-apache-guacamole-100">Fixed in Apache Guacamole 1.0.0</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2018-1340"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1340">CVE-2018-1340</a>: |
| Secure flag missing from session cookie |
| </h3> |
| |
| <p>Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the |
| user’s session token. This cookie lacked the “secure” flag, which could allow |
| an attacker eavesdropping on the network to intercept the user’s session token |
| if unencrypted HTTP requests are made to the same domain.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Ross Golder for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-guacamole-099-pre-apache-release">Fixed in Guacamole 0.9.9 (pre-Apache release)</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2016-1566"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566">CVE-2016-1566</a>: |
| Stored cross-site scripting (XSS) in file browser |
| </h3> |
| |
| <p>A cross-site scripting (XSS) vulnerability was discovered through which files |
| with specially-crafted filenames could lead to JavaScript execution if file |
| transfer is enabled to a location which is shared by multiple users, and the |
| filename is displayed within the file browser located within the Guacamole |
| menu.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Niv Levy for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| <h2 id="fixed-in-guacamole-063-pre-apache-release">Fixed in Guacamole 0.6.3 (pre-Apache release)</h2> |
| <ul class="cve-list"> |
| |
| <li> |
| <h3 id="CVE-2012-4415"> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4415">CVE-2012-4415</a>: |
| Buffer overflow in guac_client_plugin_open() |
| </h3> |
| |
| <p>A stack-based buffer overflow vulnerability was discovered in the |
| <code class="language-plaintext highlighter-rouge">guac_client_plugin_open()</code> function in libguac in Guacamole before 0.6.3 |
| which could allow remote attackers to cause a denial of service (crash) or |
| execute arbitrary code via a long protocol name.</p> |
| |
| |
| |
| <p>Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting this issue.</p> |
| |
| </li> |
| |
| </ul> |
| |
| |
| |
| |
| </div> |
| |
| <!-- Footer --> |
| <div id="footer"> |
| <div class="readable-content"> |
| |
| <!-- Copyrights --> |
| <p class="copyright"> |
| Copyright © 2024 <a href="http://www.apache.org/">The Apache |
| Software Foundation</a>, Licensed under the <a |
| href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, |
| Version 2.0</a>. |
| </p> |
| |
| <!-- Trademarks --> |
| <p class="trademarks"> |
| Apache Guacamole, Guacamole, Apache, the Apache feather logo, and the |
| Apache Guacamole project logo are trademarks of The Apache Software |
| Foundation. |
| </p> |
| |
| </div> |
| </div> |
| |
| |
| <!-- jQuery --> |
| <script src="/scripts/jquery.min.js" type="text/javascript"></script> |
| |
| <!-- Dropdown toggle --> |
| <script src="/scripts/dropdown.js" type="text/javascript"></script> |
| |
| </body> |
| </html> |