Source: guacamole-client X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for guacamole-client. CVE-2021-41767[0]: | Apache Guacamole 1.3.0 and older may incorrectly include a private | tunnel identifier in the non-private details of some REST responses. | This may allow an authenticated user who already has permission to | access a particular connection to read from or interact with another | user's active use of that same connection. https://www.openwall.com/lists/oss-security/2022/01/11/6 CVE-2021-43999[1]: | Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses | received from a SAML identity provider. If SAML support is enabled, | this may allow a malicious user to assume the identity of another | Guacamole user. https://www.openwall.com/lists/oss-security/2022/01/11/7 CVE-2020-11997[2]: | Apache Guacamole 1.2.0 and earlier do not consistently restrict access | to connection history based on user visibility. If multiple users | share access to the same connection, those users may be able to see | which other users have accessed that connection, as well as the IP | addresses from which that connection was accessed, even if those users | do not otherwise have permission to see other users. https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3Cannounce.guacamole.apache.org%3E https://issues.apache.org/jira/browse/GUACAMOLE-1123 https://github.com/apache/guacamole-client/pulls?q=is%3Apr+guacamole-1123+is%3Aclosed https://github.com/glyptodon/guacamole-client/pull/453 https://enterprise.glyptodon.com/doc/latest/cve-2020-11997-inconsistent-restriction-of-connection-history-visibility-31424710.html https://enterprise.glyptodon.com/doc/1.x/changelog-950368.html#id-.Changelogv1.x-1.14 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41767 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767 [1] https://security-tracker.debian.org/tracker/CVE-2021-43999 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999 [2] https://security-tracker.debian.org/tracker/CVE-2020-11997 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997 Please adjust the affected versions in the BTS as needed.
