oss-sec mailing list archives
[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels
From: Mike Jumper <mjumper () apache org>
Date: Wed, 1 Jul 2020 20:14:11 -0700
CVE-2020-9497: Improper input validation of RDP static virtual channels Versions affected: Apache Guacamole 1.1.0 and earlier Description: Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0. Credit: We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.
Current thread:
- [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels Mike Jumper (Jul 02)