VDB

GCVE-110-MAGEIA-2021-272

GCVE-110-MAGEIA-2021-272
Advisory Published
Vulnetix · Advisory published June 23, 2021
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain (CVE-2018-1340). Apache Guacamole 1.1.0 and older do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection (CVE-2020-9497). Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process (CVE-2020-9498). Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users (CVE-2020-11997). This is an update of guacd to latest version to fix security issues. We also updated util-linux and ossp_uuid to make them co installable as guacd requires ossp_uuid.

Affected Products

VendorProductVersionsPlatforms
Mageiautil-linux0 (affected), 2.33.2-1.1.mga7 (unaffected)
Mageiaossp_uuid0 (affected), 1.6.2-21.1.mga7 (unaffected)
Mageiaguacd0 (affected), 1.3.0-1.mga7 (unaffected)

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›