guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DMoscovi...@simard.ca
Subject Re: [SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
Date Sun, 27 Jan 2019 01:26:08 GMT
Would that mean if the server, if accessable only by 
https://guacamole.domain.com/something/
and http was blocked. it would be ok? in this case?





From:   "Mike Jumper" <mjumper@apache.org>
To:     user@guacamole.apache.org, dev@guacamole.apache.org, 
announce@apache.org, announce@guacamole.apache.org, 
security@guacamole.apache.org
Date:   01/23/19 05:21 PM
Subject:        [SECURITY] CVE-2018-1340: Secure flag missing from Apache 
Guacamole session cookie



CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Versions affected:
Apache Guacamole 0.9.4 through 0.9.14

Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

Credit:
We would like to thank Ross Golder for reporting this issue.


Mime
View raw message