PT-2019-8967 · Apache · Apache Guacamole

Ross Golder

Published

2019-02-07

Updated

2022-05-13

CVE-2018-1340

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Guacamole versions prior to 1.0.0

Description The issue concerns the use of a cookie for client-side storage of the user's session token. This cookie lacks the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

Recommendations For versions prior to 1.0.0, update to version 1.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the application over unencrypted HTTP to minimize the risk of session token interception.

Fix

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-311

Related Identifiers

CVE-2018-1340

GHSA-WR7R-VG3C-54R5

MGASA-2021-0272

Affected Products

Apache Guacamole

PT-2019-8967 · Apache · Apache Guacamole

CVE-2018-1340

Weakness Enumeration

Related Identifiers

Affected Products

References · 18