Security Reports
This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.
Reporting new vulnerabilities
If you believe you have discovered a security problem in Apache Guacamole, please follow responsible disclosure practices and report discovered security issues privately, either to the private security mailing list of the ASF Security Team or the security@guacamole.apache.org mailing list, before disclosing or discussing the issue in a public forum.
Vulnerabilities in dependencies
Is Apache Guacamole affected by CVE-2023-5129?
No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding WebP images, not encoding.
You would also receive updates to libwebp from your distribution as the library itself is not bundled within Guacamole. If using our Docker images, the images are automatically rebuilt nightly to bring in updates from the maintainer of the base image (Alpine Linux), and a pull of the latest would give you an updated image.
Is Apache Guacamole affected by CVE-2021-44228?
No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses Logback as its logging backend, not Log4j.
Fixed in Apache Guacamole 1.5.2
-
Incorrect calculation of Guacamole protocol element lengths (CVE-2023-30575)
Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths of instruction elements sent during the Guacamole protocol handshake, potentially allowing an attacker to inject Guacamole instructions during the handshake through specially-crafted data.
Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.
-
Use-after-free in handling of RDP audio input buffer (CVE-2023-30576)
Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a freed RDP audio input buffer. Depending on timing, this may allow an attacker to execute arbitrary code with the privileges of the guacd process.
Acknowledgements: We would like to thank Stefan Schiller (Sonar) for reporting this issue.
Fixed in Apache Guacamole 1.4.0
-
Improper validation of SAML responses (CVE-2021-43999)
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.
Acknowledgements: We would like to thank Finn Steglich (ETAS) for reporting this issue.
-
Private tunnel identifier may be included in the non-private details of active connections (CVE-2021-41767)
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user’s active use of that same connection.
Acknowledgements: We would like to thank Damian Velardo (Australia and New Zealand Banking Group) for reporting this issue.
Fixed in Apache Guacamole 1.3.0
-
Inconsistent restriction of connection history visibility (CVE-2020-11997)
Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.
Acknowledgements: We would like to thank William Le Berre (Synetis) for reporting this issue.
Fixed in Apache Guacamole 1.2.0
-
Dangling pointer in RDP static virtual channel handling (CVE-2020-9498)
Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
Acknowledgements: We would like to thank Eyal Itkin (Check Point Research) for reporting this issue.
-
Improper input validation of RDP static virtual channels (CVE-2020-9497)
Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.
Acknowledgements: We would like to thank the GitHub Security Lab and Eyal Itkin (Check Point Research) for reporting this issue.
Fixed in Apache Guacamole 1.0.0
-
Secure flag missing from session cookie (CVE-2018-1340)
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user’s session token. This cookie lacked the “secure” flag, which could allow an attacker eavesdropping on the network to intercept the user’s session token if unencrypted HTTP requests are made to the same domain.
Acknowledgements: We would like to thank Ross Golder for reporting this issue.
Fixed in Apache Guacamole 0.9.11-incubating
-
Buffer overflow in SSH/telnet terminal emulator (CVE-2017-3158)
A race condition in Guacamole’s terminal emulator could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the remaining data being written beyond the end of a statically-allocated buffer.
Acknowledgements: We would like to thank Hariprasad Ng for reporting this issue.
Fixed in Guacamole 0.9.9 (pre-Apache release)
-
Stored cross-site scripting (XSS) in file browser (CVE-2016-1566)
A cross-site scripting (XSS) vulnerability was discovered through which files with specially-crafted filenames could lead to JavaScript execution if file transfer is enabled to a location which is shared by multiple users, and the filename is displayed within the file browser located within the Guacamole menu.
Acknowledgements: We would like to thank Niv Levy for reporting this issue.
Fixed in Guacamole 0.6.3 (pre-Apache release)
-
Buffer overflow in guac_client_plugin_open() (CVE-2012-4415)
A stack-based buffer overflow vulnerability was discovered in the
guac_client_plugin_open()
function in libguac in Guacamole before 0.6.3 which could allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long protocol name.Acknowledgements: We would like to thank Timo Juhani Lindfors for reporting this issue.