Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths
CVE-2023-30575

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Guacamole
Vendor: CVE Published:; 7 June 2023

Summary

Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.

Affected Version(s)

Apache Guacamole 0 <= 1.5.1

References

https://lists.apache.org/thread/tn63n2lon0h5p45oft834t1dq...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Apr 12, 2023

Credit

Stefan Schiller (Sonar)