CVE-2018-1340Missing Encryption of Sensitive Data in Apache Guacamole

CWE-311Missing Encryption of Sensitive Data11 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 29.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache GuacamoleApache Software Foundation Apache Guacamole
Timeline
PublishedFeb 7
Latest updateMay 13

Description

Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/guacamole0.9.14
CVEListV5apache_software_foundation/apache_guacamoleApache Guacamole 0.9.4 to 0.9.14

🔴Vulnerability Details

4
GHSA
Missing Encryption of Sensitive Data in Apache Guacamole2022-05-13
OSV
Missing Encryption of Sensitive Data in Apache Guacamole2022-05-13
OSV
CVE-2018-1340: Prior to 12019-02-07
CVEList
CVE-2018-1340: Prior to 12019-02-07

📋Vendor Advisories

1
Apache
Apache guacamole: CVE-2018-1340

💬Community

5
Bugzilla
CVE-2018-1340 guacamole: Secure flag missing from Apache Guacamole session cookie2019-01-24
Bugzilla
CVE-2018-1340 guacamole-server: guacamole: Secure flag missing from Apache Guacamole session cookie [fedora-all]2019-01-24
Bugzilla
CVE-2018-1340 guacamole-server: guacamole: Secure flag missing from Apache Guacamole session cookie [epel-all]2019-01-24
Bugzilla
CVE-2018-1340 guacamole: Secure flag missing from Apache Guacamole session cookie [epel-all]2019-01-24
Bugzilla
CVE-2018-1340 guacamole: Secure flag missing from Apache Guacamole session cookie [fedora-all]2019-01-24
CVE-2018-1340 — Missing Encryption of Sensitive Data | cvebase