Input validation error in Guacamole

#VU29481 Input validation error in Guacamole

Published: 2020-07-06

Vulnerability identifier: #VU29481

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-9497

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Guacamole
Web applications / Remote management & hosting panels

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to insufficient validation of user-supplied input of RDP static virtual channels. A remote attacker can use a specially crafted PDUs to disclose sensitive information within the memory of the guacd process handling the connection.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Guacamole: 0.8.3 - 1.1.0

CPE

cpe:2.3:a:apache_foundation:guacamole:1.1.0:*:*:*:*:*:*:*

External links
http://seclists.org/oss-sec/2020/q3/2

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Usage of vulnerable Apache Guacamole in Pulse Connect Secure

Multiple vulnerabilities in Apache Guacamole