CVE-2021-41767

CWE-200Information Exposure5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.6%
top 31.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache GuacamoleApache Guacamole
Timeline
PublishedJan 11
Latest updateFeb 15

Description

Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDapache/guacamole1.3.0
CVEListV5apache_software_foundation/apache_guacamoleunspecified1.3.0

🔴Vulnerability Details

3
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Apache Guacamole2022-02-15
CVEList
Private tunnel identifier may be included in the non-private details of active connections2022-01-11
OSV
CVE-2021-41767: Apache Guacamole 12022-01-11

📋Vendor Advisories

1
Apache
Apache guacamole: CVE-2021-41767
CVE-2021-41767 (MEDIUM CVSS 6.5) | Apache Guacamole 1.3.0 and older ma | cvebase.io