Security Reports

This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.

Reporting new vulnerabilities

If you believe you have discovered a security problem in Apache Guacamole, please follow responsible disclosure practices and report discovered security issues privately, either to the private security mailing list of the ASF Security Team or the security@guacamole.apache.org mailing list, before disclosing or discussing the issue in a public forum.

Vulnerabilities in dependencies

Is Apache Guacamole affected by CVE-2023-5129?

No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding WebP images, not encoding.

You would also receive updates to libwebp from your distribution as the library itself is not bundled within Guacamole. If using our Docker images, the images are automatically rebuilt nightly to bring in updates from the maintainer of the base image (Alpine Linux), and a pull of the latest would give you an updated image.

Is Apache Guacamole affected by CVE-2021-44228?

No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses Logback as its logging backend, not Log4j.

Fixed in Apache Guacamole 1.5.4

Fixed in Apache Guacamole 1.5.2

Fixed in Apache Guacamole 1.4.0

Fixed in Apache Guacamole 1.3.0

Fixed in Apache Guacamole 1.2.0

Fixed in Apache Guacamole 1.0.0

Fixed in Apache Guacamole 0.9.11-incubating

Fixed in Guacamole 0.9.9 (pre-Apache release)

Fixed in Guacamole 0.6.3 (pre-Apache release)