Apache Guacamole
By the Year
In 2023 there have been 0 vulnerabilities in Apache Guacamole . Last year Guacamole had 2 security vulnerabilities published. Right now, Guacamole is on track to have less security vulnerabilities in 2023 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 0 | 0.00 |
| 2022 | 2 | 7.65 |
| 2021 | 2 | 3.70 |
| 2020 | 2 | 5.55 |
| 2019 | 2 | 7.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Guacamole vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Guacamole Security Vulnerabilities
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider
CVE-2021-43999
8.8 - High
- January 11, 2022
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.
authentification
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses
CVE-2021-41767
6.5 - Medium
- January 11, 2022
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.
Information Disclosure
curl 7.7 through 7.76.1 suffers
CVE-2021-22898
3.1 - Low
- June 11, 2021
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
Missing Initialization of Resource
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility
CVE-2020-11997
4.3 - Medium
- January 19, 2021
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.
Incorrect Default Permissions
Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels
CVE-2020-9497
4.4 - Medium
- July 02, 2020
Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.
Information Disclosure
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels
CVE-2020-9498
6.7 - Medium
- July 02, 2020
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed with the privileges of therunning guacd process.
Buffer Overflow
SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW
CVE-2019-19603
7.5 - High
- December 09, 2019
SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token
CVE-2018-1340
7.5 - High
- February 07, 2019
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.
Missing Encryption of Sensitive Data
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users
CVE-2016-1566
5.4 - Medium
- February 02, 2017
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Guacamole or by Apache? Click the Watch button to subscribe.
