You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by Mike Jumper <mj...@apache.org> on 2022/01/11 21:21:35 UTC

[SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

Severity: high

Description:

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
received from a SAML identity provider. If SAML support is enabled,
this may allow a malicious user to assume the identity of another
Guacamole user.

Credit:

We would like to thank Finn Steglich (ETAS) for reporting this issue.

Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

Posted by Mike Jumper <mj...@apache.org>.

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri <ju...@ionos.com> wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: high
> >
> > Description:
> >
> > Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> > received from a SAML identity provider. If SAML support is enabled,
> > this may allow a malicious user to assume the identity of another
> > Guacamole user.
> >
> > Credit:
> >
> > We would like to thank Finn Steglich (ETAS) for reporting this issue.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> > For additional commands, e-mail: user-help@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The SAML authentication extension for the webapp.

- Mike

Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

Posted by Jürgen Kuri <ju...@ionos.com>.

El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: high
> 
> Description:
> 
> Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> received from a SAML identity provider. If SAML support is enabled,
> this may allow a malicious user to assume the identity of another
> Guacamole user.
> 
> Credit:
> 
> We would like to thank Finn Steglich (ETAS) for reporting this issue.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org