CVE-2020-9497 Information

Feb 14, 2021 cve

Description

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Reference

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525 https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7@3Cuser.guacamole.apache.org3E https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847@3Cuser.guacamole.apache.org3E https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@3Cannounce.apache.org3E https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f403Cannounce.guacamole.apache.org3E https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html https://research.checkpoint.com/2020/apache-guacamole-rce/

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

4.4

Share on: