Source: guacamole-client
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for guacamole-client.

CVE-2021-41767[0]:
| Apache Guacamole 1.3.0 and older may incorrectly include a private
| tunnel identifier in the non-private details of some REST responses.
| This may allow an authenticated user who already has permission to
| access a particular connection to read from or interact with another
| user's active use of that same connection.

https://www.openwall.com/lists/oss-security/2022/01/11/6

CVE-2021-43999[1]:
| Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
| received from a SAML identity provider. If SAML support is enabled,
| this may allow a malicious user to assume the identity of another
| Guacamole user.

https://www.openwall.com/lists/oss-security/2022/01/11/7

CVE-2020-11997[2]:
| Apache Guacamole 1.2.0 and earlier do not consistently restrict access
| to connection history based on user visibility. If multiple users
| share access to the same connection, those users may be able to see
| which other users have accessed that connection, as well as the IP
| addresses from which that connection was accessed, even if those users
| do not otherwise have permission to see other users.

https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3Cannounce.guacamole.apache.org%3E
https://issues.apache.org/jira/browse/GUACAMOLE-1123
https://github.com/apache/guacamole-client/pulls?q=is%3Apr+guacamole-1123+is%3Aclosed
https://github.com/glyptodon/guacamole-client/pull/453
https://enterprise.glyptodon.com/doc/latest/cve-2020-11997-inconsistent-restriction-of-connection-history-visibility-31424710.html
https://enterprise.glyptodon.com/doc/1.x/changelog-950368.html#id-.Changelogv1.x-1.14

        
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41767
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767
[1] https://security-tracker.debian.org/tracker/CVE-2021-43999
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999
[2] https://security-tracker.debian.org/tracker/CVE-2020-11997
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997

Please adjust the affected versions in the BTS as needed.

Reply via email to