guacamole-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels
Date Thu, 02 Jul 2020 03:14:11 GMT
CVE-2020-9497: Improper input validation of RDP static virtual channels

Versions affected:
Apache Guacamole 1.1.0 and earlier

Description:
Apache Guacamole 1.1.0 and older do not properly validate data
received from RDP servers via static virtual channels. If a user
connects to a malicious or compromised RDP server, specially-crafted
PDUs could result in disclosure of information within the memory of
the guacd process handling the connection.

Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.

Credit:
We would like to thank the GitHub Security Lab and Eyal Itkin (Check
Point Research) for reporting this issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@guacamole.apache.org
For additional commands, e-mail: announce-help@guacamole.apache.org


Mime
View raw message