Bug#1015986: guacamole-client: CVE-2021-41767 CVE-2021-43999 CVE-2020-11997
Moritz Mühlenhoff
jmm at inutil.org
Sun Jul 24 19:59:58 BST 2022
Source: guacamole-client
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for guacamole-client.
CVE-2021-41767[0]:
| Apache Guacamole 1.3.0 and older may incorrectly include a private
| tunnel identifier in the non-private details of some REST responses.
| This may allow an authenticated user who already has permission to
| access a particular connection to read from or interact with another
| user's active use of that same connection.
https://www.openwall.com/lists/oss-security/2022/01/11/6
CVE-2021-43999[1]:
| Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
| received from a SAML identity provider. If SAML support is enabled,
| this may allow a malicious user to assume the identity of another
| Guacamole user.
https://www.openwall.com/lists/oss-security/2022/01/11/7
CVE-2020-11997[2]:
| Apache Guacamole 1.2.0 and earlier do not consistently restrict access
| to connection history based on user visibility. If multiple users
| share access to the same connection, those users may be able to see
| which other users have accessed that connection, as well as the IP
| addresses from which that connection was accessed, even if those users
| do not otherwise have permission to see other users.
https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3Cannounce.guacamole.apache.org%3E
https://issues.apache.org/jira/browse/GUACAMOLE-1123
https://github.com/apache/guacamole-client/pulls?q=is%3Apr+guacamole-1123+is%3Aclosed
https://github.com/glyptodon/guacamole-client/pull/453
https://enterprise.glyptodon.com/doc/latest/cve-2020-11997-inconsistent-restriction-of-connection-history-visibility-31424710.html
https://enterprise.glyptodon.com/doc/1.x/changelog-950368.html#id-.Changelogv1.x-1.14
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41767
[1] https://security-tracker.debian.org/tracker/CVE-2021-43999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43999
[2] https://security-tracker.debian.org/tracker/CVE-2020-11997
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11997
Please adjust the affected versions in the BTS as needed.
More information about the pkg-remote-team
mailing list