Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <0ad63b5d-3556-4077-868a-afa001c4e006@apache.org>
Date: Tue, 1 Jul 2025 10:19:26 -0700
From: Michael Jumper <mjumper@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-35164: Apache Guacamole: Improper input validation of
 console codes

Severity: moderate
Base CVSS Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected versions:

- Apache Guacamole 0.8.0 through 1.5.5

Description:

The terminal emulator of Apache Guacamole 1.5.5 and older does not 
properly validate console codes received from servers via text-based 
protocols like SSH. If a malicious user has access to a text-based 
connection, a specially-crafted sequence of console codes could allow 
arbitrary code to be executed with the privileges of the running guacd 
process.

Users are recommended to upgrade to version 1.6.0, which fixes this issue.

Credit:

We would like to thank Tizian Seehaus (Tibotix) for reporting this issue.

References:

https://guacamole.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-35164

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.