Private tunnel identifier may be included in the non-private details of active connections
CVE-2021-41767

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Guacamole
Vendor: CVE Published:; 11 January 2022

Summary

Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

Affected Version(s)

Apache Guacamole <= 1.3.0

References

https://lists.apache.org/thread/5l31k4jmzdsfz0xt8osrbl878...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/01/11/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2022
Vulnerability Reserved
Sep 28, 2021

Credit

We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.