CVE-2020-9497: Improper input validation of RDP static virtual channels Versions affected: Apache Guacamole 1.1.0 and earlier
Description: Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.
