This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.
If you believe you have discovered a security problem in Apache Guacamole, please follow responsible disclosure practices and report discovered security issues privately, either to the private security mailing list of the ASF Security Team or the security@guacamole.apache.org mailing list, before disclosing or discussing the issue in a public forum.
No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding WebP images, not encoding.
You would also receive updates to libwebp from your distribution as the library itself is not bundled within Guacamole. If using our Docker images, the images are automatically rebuilt nightly to bring in updates from the maintainer of the base image (Alpine Linux), and a pull of the latest would give you an updated image.
No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses Logback as its logging backend, not Log4j.
Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
Acknowledgements: We would like to thank Joseph Surin (Elttam) and Matt Jones (Elttam) for reporting this issue.
Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.
Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.
Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.
Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.
Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting this issue.
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user’s active use of that same connection.
Acknowledgements: We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.
Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.
Acknowledgements: We would like to thank William Le Berre (Synetis) for reporting this issue.
Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.
Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.
Acknowledgements: We would like to thank GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HTTP requests are made to the same domain.
Acknowledgements: We would like to thank Ross Golder for reporting this issue.
A cross-site scripting (XSS) vulnerability was discovered through which files with specially-crafted filenames could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users, and the filename is displayed within the file browser located within the Guacamole menu.
Acknowledgements: We would like to thank Niv Levy for reporting this issue.
A stack-based buffer overflow vulnerability was discovered in the
guac_client_plugin_open() function in libguac in Guacamole before 0.6.3
which could allow remote attackers to cause a denial of service (crash) or
execute arbitrary code via a long protocol name.
Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting this issue.