Severity: moderate
Base CVSS Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Affected versions:
- Apache Guacamole through 1.5.1
Description:
Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths
of instruction elements sent during the Guacamole protocol handshake,
potentially allowing an attacker to inject Guacamole instructions during
the handshake through specially-crafted data.
Mitigation:
Users of versions of Apache Guacamole 1.5.1 and older should upgrade to
the 1.5.2 release.
Credit:
We would like to thank Stefan Schiller (Sonar) for reporting this issue.
References:
https://guacamole.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-30575
Timeline:
2023-04-11: Reported to [email protected]
2023-04-11: Report acknowledged by project
2023-04-12: Report confirmed by project
2023-05-09: Fix completed and merged
2023-05-09: Fix tested and confirmed by reporter
2023-05-25: Fix released
