You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by Mike Jumper <mj...@apache.org> on 2022/01/11 21:21:35 UTC
[SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses
Severity: high
Description:
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
received from a SAML identity provider. If SAML support is enabled,
this may allow a malicious user to assume the identity of another
Guacamole user.
Credit:
We would like to thank Finn Steglich (ETAS) for reporting this issue.
Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses
Posted by Mike Jumper <mj...@apache.org>.
On Wed, Jan 12, 2022, 01:41 Jürgen Kuri <ju...@ionos.com> wrote:
> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: high
> >
> > Description:
> >
> > Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> > received from a SAML identity provider. If SAML support is enabled,
> > this may allow a malicious user to assume the identity of another
> > Guacamole user.
> >
> > Credit:
> >
> > We would like to thank Finn Steglich (ETAS) for reporting this issue.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> > For additional commands, e-mail: user-help@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>
The SAML authentication extension for the webapp.
- Mike
Re: [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses
Posted by Jürgen Kuri <ju...@ionos.com>.
El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: high
>
> Description:
>
> Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses
> received from a SAML identity provider. If SAML support is enabled,
> this may allow a malicious user to assume the identity of another
> Guacamole user.
>
> Credit:
>
> We would like to thank Finn Steglich (ETAS) for reporting this issue.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
Hello,
which component is affected here, backend (guacd) or frontend (.war) or both?
--
Thanks
Jürgen
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org