CVE-2020-9497Improper Input Validation in Apache Guacamole

CWE-20Improper Input ValidationCWE-200Sensitive Information Exposure10 documents7 sources
Severity
4.4MEDIUMNVD
EPSS
0.1%
top 75.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache GuacamoleApache Software Foundation Apache GuacamoleDebian Linux+1 more
Timeline
PublishedJul 2
Latest updateMay 24

Description

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

NVDapache/guacamole1.1.0
CVEListV5apache_software_foundation/apache_guacamoleApache Guacamole 1.1.0 and older

Also affects: Debian Linux 9.0, Fedora 32, 33

🔴Vulnerability Details

3
GHSA
GHSA-9q4f-696q-fjxm: Apache Guacamole 12022-05-24
CVEList
CVE-2020-9497: Apache Guacamole 12020-07-02
OSV
CVE-2020-9497: Apache Guacamole 12020-07-02

📋Vendor Advisories

2
Debian
CVE-2020-9497: guacamole-server - Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP ...2020
Apache
Apache guacamole: CVE-2020-9497

💬Community

4
Bugzilla
CVE-2020-9497 guacamole-server: Improper input validation of RDP static virtual channels [epel-6]2020-07-02
Bugzilla
CVE-2020-9497 guacamole-server: Improper input validation of RDP static virtual channels2020-07-02
Bugzilla
CVE-2020-9497 guacamole-server: Improper input validation of RDP static virtual channels [epel-7]2020-07-02
Bugzilla
CVE-2020-9497 guacamole-server: Improper input validation of RDP static virtual channels [fedora-all]2020-07-02
CVE-2020-9497 — Improper Input Validation in Apache | cvebase