You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mike Jumper <mj...@apache.org> on 2019/01/23 22:20:45 UTC

[SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Versions affected:
Apache Guacamole 0.9.4 through 0.9.14

Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

Credit:
We would like to thank Ross Golder for reporting this issue.

Re: [SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Posted by Mike Jumper <mj...@apache.org>.
On Sat, Jan 26, 2019 at 5:26 PM <DM...@simard.ca> wrote:
>
> Would that mean if the server, if accessable only by https://guacamole.domain.com/something/
> and http was blocked. it would be ok? in this case?
>

Yes.

There would only be a danger of the session token being intercepted if
unencrypted HTTP requests were made to guacamole.domain.com while the
Guacamole session was valid (the user was still logged in). There is
no such danger if all requests to your domain are encrypted.

- Mike

Re: [SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Posted by DM...@simard.ca.
Would that mean if the server, if accessable only by 
https://guacamole.domain.com/something/
and http was blocked. it would be ok? in this case?





From:   "Mike Jumper" <mj...@apache.org>
To:     user@guacamole.apache.org, dev@guacamole.apache.org, 
announce@apache.org, announce@guacamole.apache.org, 
security@guacamole.apache.org
Date:   01/23/19 05:21 PM
Subject:        [SECURITY] CVE-2018-1340: Secure flag missing from Apache 
Guacamole session cookie



CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Versions affected:
Apache Guacamole 0.9.4 through 0.9.14

Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

Credit:
We would like to thank Ross Golder for reporting this issue.