Description

Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

Remediation

References

http://www.securityfocus.com/bid/106768

https://lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979%40%3Cannounce.guacamole.apache.org%3E

Related Vulnerabilities

CVE-2022-3509 Vulnerability in maven package com.google.protobuf:protobuf-java

CVE-2021-46363 Vulnerability in maven package info.magnolia:magnolia-core

CVE-2019-17554 Vulnerability in maven package org.apache.olingo:odata-server-api

CVE-2021-25933 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2014-9515 Vulnerability in maven package com.github.dozermapper:dozer-parent

Severity

High

Classification

CWE-311 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory