LOW
Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525
https://lists.apache.org/thread.html/[email protected]%3Cuser.guacamole.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.guacamole.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html
Source: MITRE
Published: 2020-07-02
Updated: 2021-01-04
Type: CWE-200
Base Score: 1.2
Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 1.9
Severity: LOW
Base Score: 4.4
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 0.8
Severity: MEDIUM