CVE-2020-9497

LOW

Description

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525

https://lists.apache.org/thread.html/[email protected]%3Cuser.guacamole.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.guacamole.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E

https://research.checkpoint.com/2020/apache-guacamole-rce/

Details

Source: MITRE

Published: 2020-07-02

Updated: 2020-07-21

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 1.2

Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 1.9

Severity: LOW

CVSS v3.0

Base Score: 4.4

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 0.8

Severity: MEDIUM