CVE-2023-43826

CWE-190 — Integer Overflow CWE-79 — Cross-site Scripting (XSS)6 documents6 sources

Severity

8.8HIGH

EPSS

0.1%

top 75.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Guacamole Apache Guacamole

Timeline

PublishedDec 19

Latest updateOct 1

Description

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.5.4, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/guacamole1.5.3

▶CVEListV5apache_software_foundation/apache_guacamole1.5.3

🔴Vulnerability Details

GHSA

Liferay Portal Vulnerable to XSS in Web Content translation↗2025-10-01

▶

GHSA

GHSA-hhj4-xc5f-6f87: Apache Guacamole 1↗2023-12-19

▶

CVEList

Apache Guacamole: Integer overflow in handling of VNC image buffers↗2023-12-19

▶

OSV

CVE-2023-43826: Apache Guacamole 1↗2023-12-19

▶

📋Vendor Advisories

Apache

Apache guacamole: CVE-2023-43826↗

▶