Access of Uninitialized Pointer in Guacamole

#VU29482 Access of Uninitialized Pointer in Guacamole

Published: 2020-07-06 | Updated: 2020-07-15

Vulnerability identifier: #VU29482

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2020-9498

CWE-ID: CWE-824

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Guacamole
Web applications / Remote management & hosting panels

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to the affected software mishandles pointers involved in processing data received via RDP static virtual channels. A remote attacker can use a specially crafted PDUs and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Guacamole: 0.8.3 - 1.1.0

CPE

cpe:2.3:a:apache_foundation:guacamole:1.1.0:*:*:*:*:*:*:*

External links
http://seclists.org/oss-sec/2020/q3/3

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Usage of vulnerable Apache Guacamole in Pulse Connect Secure

Multiple vulnerabilities in Apache Guacamole