Date: Wed, 1 Jul 2020 20:14:11 -0700 From: Mike Jumper <mjumper@...che.org> To: announce@...che.org, announce@...camole.apache.org, dev@...camole.apache.org, user@...camole.apache.org Cc: security@...camole.apache.org, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels CVE-2020-9497: Improper input validation of RDP static virtual channels Versions affected: Apache Guacamole 1.1.0 and earlier Description: Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.