<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mike Jumper <mjumper () apache org>
Date: Wed, 1 Jul 2020 20:14:11 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2020-9497: Improper input validation of RDP static virtual channels
Versions affected:
Apache Guacamole 1.1.0 and earlier
Description:
Apache Guacamole 1.1.0 and older do not properly validate data
received from RDP servers via static virtual channels. If a user
connects to a malicious or compromised RDP server, specially-crafted
PDUs could result in disclosure of information within the memory of
the guacd process handling the connection.
Mitigation:
Users of versions of Apache Guacamole 1.1.0 and older that provide
access to untrusted RDP servers should upgrade to 1.2.0.
Credit:
We would like to thank the GitHub Security Lab and Eyal Itkin (Check
Point Research) for reporting this issue.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels Mike Jumper (Jul 02)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->