Information Exposure

Affecting org.apache.guacamole:guacamole artifact, versions [,1.0.0)

Do your applications use this vulnerable package? Test your applications

Overview

org.apache.guacamole:guacamole is a clientless remote desktop gateway.

Affected versions of this package are vulnerable to Information Exposure. The package used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

Remediation

Upgrade org.apache.guacamole:guacamole to version 1.0.0 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Ross Golder
CVE
CVE-2018-1340
CWE
CWE-200
Snyk ID
SNYK-JAVA-ORGAPACHEGUACAMOLE-173667
Disclosed
08 Feb, 2019
Published
08 Feb, 2019