Improper Input Validation in Apache Guacamole RDP Handling
CVE-2020-9497

4.4MEDIUM

Key Information:

Vendor
Apache
Status
Apache Guacamole
Vendor
CVE Published:
2 July 2020

Summary

Apache Guacamole versions 1.1.0 and earlier are susceptible to an input validation flaw when handling Remote Desktop Protocol (RDP) connections. This vulnerability arises when the system fails to properly validate data received from RDP servers via static virtual channels. An attacker can exploit this flaw by convincing a user to connect to a compromised RDP server, which could lead to the disclosure of sensitive information stored in the memory of the guacd process that manages these connections. It is crucial for users of Apache Guacamole to implement necessary security patches and upgrades to mitigate this risk.

Affected Version(s)

Apache Guacamole Apache Guacamole 1.1.0 and older

References

https://lists.apache.org/thread.html/r65f75d3d65d1af68141...
x_refsource_MISC
https://lists.apache.org/thread.html/r3f071de70ea1facd360...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r066543f0565e97b27c0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.