Detections
Analytics

Fedora 42 : guacamole-server (2025-774aa2765e)

medium Nessus Plugin ID 241335

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-774aa2765e advisory.

 # Apache Guacamole 1.6.0

 ## User interface / platform
 * Add the ability to specify separate permissions for History and Active sessions tabs (GUACAMOLE-538)
 * Support batch import of connections from CSV (GUACAMOLE-926)
 * Add parameter token for connection name (GUACAMOLE-1177)
 * Provide audit log for system modifications (GUACAMOLE-1224)
 * Configurable username case sensitivity (GUACAMOLE-1239)
 * Provide chunked file upload mechanism (GUACAMOLE-1320)
 * Display whether user groups are disabled in group list (GUACAMOLE-1479)
 * Support for true fullscreen mode and keyboard lock (GUACAMOLE-1525)
 * Allow branding/customization of the section headers on the user home page (GUACAMOLE-1584)
 * Add support for specifying VNC encodings parameter in webapp UI (GUACAMOLE-1642)
 * Automatically clear view if session expires in background (GUACAMOLE-1744)
 * Base64 encoding of image/binary data results in excessive syscalls that can degrade performance (GUACAMOLE-1776)
 * Update session recording playback progress during large frame gaps (GUACAMOLE-1803)
 * Enable viewing / searching of key events in session recording playback (GUACAMOLE-1820)
 * Improvements to the Recent connections section (GUACAMOLE-1866)
 * History Recording Player should indicate points of interest (GUACAMOLE-1876)
 * Enhance client custom field functionality (GUACAMOLE-1904)
 * Provide notification, jump-to-top of page for a clone operation (GUACAMOLE-1916)
 * Bug: Logging of request details fails with recent Tomcat (GUACAMOLE-2052)

 ## Authentication, integration, and storage
 * Ensure `GUAC_DATE`/`GUAC_TIME` tokens match connection startDate (GUACAMOLE-61)
 * Add Proxy Hostname and Port to LDAP Extension (GUACAMOLE-577)
 * Add webapp support for smart card authentication (GUACAMOLE-839)
 * Enforce rate limit on authentication attempts (GUACAMOLE-990)
 * Broadly configurable time limits for user logins and connection usage (GUACAMOLE-1020)
 * Randomize generation of TOTP key until enrollment is confirmed (GUACAMOLE-1068)
 * Allow TOTP to be disabled by group membership (GUACAMOLE-1219)
 * Update guacamole-auth-duo to Duo Web v4 SDK (GUACAMOLE-1289)
 * SAML module should be able to encrypt and sign requests (GUACAMOLE-1372)
 * Allow LDAP extension to configure TLS level (GUACAMOLE-1488)
 * Clarify TOTP reset/status logic (GUACAMOLE-1550)
 * Allow JDBC Auth Extensions to track history for external connections (GUACAMOLE-1616)
 * Allow extraction of domain token from vault extensions (GUACAMOLE-1623)
 * Enable more granular vault associations (GUACAMOLE-1629)
 * Allow use of KSM one-time tokens in guacamole-vault-ksm extension (GUACAMOLE-1643)
 * Allow per-user KSM Vault configurations (GUACAMOLE-1656)
 * KSM vault extension should allow searching records by domain (GUACAMOLE-1661)
 * Allow user to configure Keeper Secrets Manager call frequency (GUACAMOLE-1722)
 * Enforce user access windows even when already logged in (GUACAMOLE-1723)
 * Add SSO providers list to UI at most once (GUACAMOLE-1757)
 * Allow TOTP and SAML auth to be used together (GUACAMOLE-1780)
 * Bug: KSM Vault extension doesnt support private key from PAM User record type (GUACAMOLE-1795)
 * Map JWT claims from OpenID Connect as parameter tokens (GUACAMOLE-1844)
 * Allow MFA to be bypassed or enforced based on client IP (GUACAMOLE-1855)
 * Add parameter token for domain of LDAP user (GUACAMOLE-1881)
 * Disable autofill on TOTP verification code field (GUACAMOLE-1946)
 * Provide a comprehensive error message for input exceeding database column (GUACAMOLE-1948)

 ## Protocol support / guacd
 * Allow selection of whole words by double-clicking (GUACAMOLE-192)
 * Improve efficiency of streaming complex/large changes (Graphics Pipeline Extension, RemoteFX) (GUACAMOLE-377)
 * Allow specifying connection timeout (GUACAMOLE-600)
 * Add support for FreeRDP 3.0.0 (GUACAMOLE-1026)
 * Bug: Connecting to unpublished RemoteApp results in black screen (GUACAMOLE-1084)
 * Bug: Add support for right modifier keys to SSH/Telnet (GUACAMOLE-1113)
 * Add auto resize to VNC sessions (GUACAMOLE-1196)
 * RemoteApp windows become inaccessible after being minimized (GUACAMOLE-1231)
 * Bug: Lines of file gets broken when navigating back and forth using a text editor (GUACAMOLE-1256)
 * Add option to the vnc protocol to disable remote input (GUACAMOLE-1267)
 * Add support for SSH certificates (GUACAMOLE-1290)
 * Add parameter for specifying known RDP server certificate/fingerprint (GUACAMOLE-1332)
 * Bug: AltGr received as Alt if remote keyboard layout lacks AltGr (GUACAMOLE-1473)
 * Bug: Terminal emulator adds newlines when copying a wrapped line of text (GUACAMOLE-1586)
 * Add small margins to SSH sessions (GUACAMOLE-1622)
 * Bug: Text copied from terminal emulator may incorrectly omit indentation (GUACAMOLE-1632)
 * Add terminal support for alternate screen buffer (GUACAMOLE-1633)
 * Bug: SFTP+VNC broken when built with OpenSSL versions >= 1.1.0 (GUACAMOLE-1652)
 * Clipboard normalization support for SSH connections (GUACAMOLE-1682)
 * Test machine availability when sending Wake-on-LAN packet (GUACAMOLE-1686)
 * Bug: Japanese characters display garbled in terminal when using guacd docker image (GUACAMOLE-1726)
 * Add parameters for VNC compression and quality levels (GUACAMOLE-1760)
 * Terminal protocols should support mac-style cmd+v paste shortcut (GUACAMOLE-1804)
 * Ignore Ctrl+Shift+C within terminal emulator (GUACAMOLE-1805)
 * Allow writing recordings to existing files (GUACAMOLE-1931)
 * Bug: RDP connection fails when microphone input is enabled (GUACAMOLE-1940)
 * Bug: Selected text in SSH is offset from cursor position (GUACAMOLE-1944)
 * Bug: Multiple wheel events per mouse wheel tick (GUACAMOLE-1967)
 * Bug: FreeRDP may invoke EndPaint without BeginPaint as of 3.8.0 (GUACAMOLE-1997)

 ## Internationalization
 * Bug: Japanese keyboard layout for RDP incorrect (GUACAMOLE-520)
 * Add support for Canadian french keyboard layout (GUACAMOLE-1312)
 * Update French translations (GUACAMOLE-1611)
 * Fix some typos in italian translation and improve it (GUACAMOLE-1612)
 * Updated czech translation (GUACAMOLE-1664)
 * Updated german translation (GUACAMOLE-1692)
 * Add Czech keyboard layout (GUACAMOLE-1708)
 * Polish translation (GUACAMOLE-1730)
 * Updated czech translation (GUACAMOLE-1758)
 * Add Romanian keymap to RDP protocol (GUACAMOLE-1770)
 * Add Portuguese keymap to RDP protocol (GUACAMOLE-1771)
 * Update the Simplified Chinese translation (GUACAMOLE-1778)
 * Update the Simplified Chinese translation for totp auth extension (GUACAMOLE-1781)
 * Updated czech translation (GUACAMOLE-1792)
 * Bug: Mac Firefox repeats composed characters (GUACAMOLE-1810)

 ## Documentation
 * Add missing `WEBAPP_CONTEXT` variable in docker setup documentation (GUACAMOLE-1680)
 * Document `RemoteIPValve` to cover IPv4 and IPv6 (GUACAMOLE-1861)

 ## General housekeeping and cleanup
 * Provide GuacamoleProperty List Implementations (GUACAMOLE-1006)
 * Expose client state enum values (GUACAMOLE-1402)
 * Guacamole manual: Makefile: `find` uses non-POSIX arguments (GUACAMOLE-1501)
 * Bug: Phantomjs build issues on ubuntu 22.04 (GUACAMOLE-1614)
 * Remove usage of AccessController (GUACAMOLE-1716)
 * Bug: Correct autoconf issues that result in odd build results (GUACAMOLE-1719)
 * Stop storing unnecessary auth response data in local storage (GUACAMOLE-1721)
 * Bug: Projects outside scope of 1.5.0 fail to build following merge of version number bump (GUACAMOLE-1731)
 * Bug: Projects outside scope of 1.5.1 fail to build following merge of version number bump (GUACAMOLE-1767)
 * Bug: SQLSERVER_BATCH_SIZE defined twice in SQLServerGuacamoleProperties (GUACAMOLE-1789)
 * Bug: Projects outside scope of 1.5.2 fail to build following merge of version number bump (GUACAMOLE-1790)
 * Bug: Projects outside scope of 1.5.3 fail to build following merge of version number bump (GUACAMOLE-1829)
 * Bug: Merge conflict markers left in guacamole-manual source (GUACAMOLE-1833)
 * KSM Vault extension should support new PAM Hostname field type (GUACAMOLE-1868)
 * Align libraries on Library status output (GUACAMOLE-1869)
 * Check return values of WebP API functions (GUACAMOLE-1875)
 * Bug: Projects outside scope of 1.5.4 fail to build following merge of version number bump (GUACAMOLE-1887)
 * Bump versions for projects outside the 1.5.5 scope (GUACAMOLE-1915)
 * Add support for FFmpeg 7.0 (GUACAMOLE-1952)
 * Update dependencies to latest stable and compatible versions (GUACAMOLE-1956)
 * Bump versions to 1.6.0 (GUACAMOLE-1980)
 * Bug: Compile error in `src/protocols/rdp/channels/rail.c` (GUACAMOLE-1982)
 * Upgrade KSM SDK to latest (v16.6.5) (GUACAMOLE-1984)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected guacamole-server package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2025-774aa2765e

Plugin Details

Severity: Medium

ID: 241335

File Name: fedora_2025-774aa2765e.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/3/2025

Updated: 7/3/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 4.9

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2024-35164

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:42, p-cpe:/a:fedoraproject:fedora:guacamole-server

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/24/2025

Vulnerability Publication Date: 6/24/2025

Reference Information

CVE: CVE-2024-35164