www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject [SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
Date Wed, 23 Jan 2019 22:20:45 GMT
CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Versions affected:
Apache Guacamole 0.9.4 through 0.9.14

Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

Credit:
We would like to thank Ross Golder for reporting this issue.

Mime
View raw message