[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jul 2020 20:14:11 -0700
From: Mike Jumper <mjumper@...che.org>
To: announce@...che.org, announce@...camole.apache.org,
dev@...camole.apache.org, user@...camole.apache.org
Cc: security@...camole.apache.org, oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation
of RDP static virtual channels
CVE-2020-9497: Improper input validation of RDP static virtual channels
Versions affected:
Apache Guacamole 1.1.0 and earlier
Description:
Apache Guacamole 1.1.0 and older do not properly validate data
received from RDP servers via static virtual channels. If a user
connects to a malicious or compromised RDP server, specially-crafted
PDUs could result in disclosure of information within the memory of
the guacd process handling the connection.
Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.
Credit:
We would like to thank the GitHub Security Lab and Eyal Itkin (Check
Point Research) for reporting this issue.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
