[
https://issues.apache.org/jira/browse/GUACAMOLE-2006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17906865#comment-17906865
]
Mike Jumper commented on GUACAMOLE-2006:
----------------------------------------
There is a long-running, very involved effort to migrate everything to Angular
(the TypeScript-based framework that grew out of AngularJS): GUACAMOLE-1085
Until that fully materializes, we routinely check any vulnerabilities reported
against dependencies to make sure Guacamole is unaffected, including AngularJS.
Thus far, there are no vulnerabilities in AngularJS that have any impact on
Guacamole, including those listed above.
Here's a rundown:
|| CVE ID || Affects Guacamole? ||
| [CVE-2019-10768|https://nvd.nist.gov/vuln/detail/CVE-2019-10768] | *No.*
Guacamole uses AngularJS 1.8.3, while this vulnerability was addressed by
AngularJS 1.7.9. |
| [CVE-2019-14863|https://nvd.nist.gov/vuln/detail/CVE-2019-14863] | *No.*
Guacamole uses AngularJS 1.8.3, while this vulnerability was addressed by
AngularJS 1.5.0. |
| [CVE-2020-7676|https://nvd.nist.gov/vuln/detail/CVE-2020-7676] | *No.* The
vulnerability is specific to "JQLite", the minimal version of jQuery provided
and used by AngularJS when full jQuery is not available. In the case of
Guacamole, the full version of jQuery is present, and under no circumstances is
untrusted or user-supplied data passed to jQuery for DOM manipulation. |
| [CVE-2022-25869|https://nvd.nist.gov/vuln/detail/CVE-2022-25869] | *No.* This
issue deals specifically with Internet Explorer and its insecure caching
behavior of {{<textarea>}} elements. This does not affect the behavior of
{{<textarea>}} elements within Guacamole because of the dynamic nature of the
UI (there are no {{<textarea>}} elements visible to Internet Explorer's cache).
|
| [CVE-2023-26116|https://nvd.nist.gov/vuln/detail/CVE-2023-26116],
[CVE-2023-26117|https://nvd.nist.gov/vuln/detail/CVE-2023-26117],
[CVE-2023-26118|https://nvd.nist.gov/vuln/detail/CVE-2023-26118] | *No.* There
are no known cases, theoretical or otherwise, where regular expression
denial-of-service would be possible for the component in question. In
Guacamole, AngularJS is used strictly on the client side, and there are no code
paths that would allow a malicious user to force other users to use
specially-crafted inputs to affect the performance of their browser. |
If you have any questions on the above or encounter something new, please reach
out privately by sending an email to [mailto:[email protected]].
That will ensure the project can safely issue a release with a mitigation if an
issue turns up that _does_ affect Guacamole. See:
https://guacamole.apache.org/security/
We also have some changes in progress to update our security page to list
frequently discussed vulnerabilities in dependencies that have no impact on
Guacamole, to hopefully help reduce confusion.
> When scanning Guacamole (ver. 1.5.5) for vulnerabilities, the following
> problems were found: CVE-2023-26116 CVE-2022-25869 CVE-2019-14863
> CVE-2020-7676 CVE-2023-26117 CVE-2019-10768 CVE-2023-26118
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2006
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2006
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole
> Affects Versions: 1.5.5
> Reporter: Vadim
> Priority: Major
>
> When scanning Guacamole (ver. 1.5.5) for vulnerabilities, the following
> problems were found: CVE-2023-26116 CVE-2022-25869 CVE-2019-14863
> CVE-2020-7676 CVE-2023-26117 CVE-2019-10768 CVE-2023-26118
> They affect the library angular.min.js
> Are there any plans to eliminate vulnerabilities?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
