Description

Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

Remediation

References

http://www.securityfocus.com/bid/106768

https://lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979%40%3Cannounce.guacamole.apache.org%3E

Related Vulnerabilities

CVE-2022-21169 Vulnerability in npm package express-xss-sanitizer

CVE-2019-10356 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2023-25762 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-build-step

CVE-2018-3711 Vulnerability in npm package fastify

CVE-2020-2251 Vulnerability in maven package org.jenkins-ci.plugins:soapui-pro-functional-testing

Severity

High

Classification

CWE-311 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory