CVE-2021-43999: Improper validation of SAML responses
Software affected
Glyptodon Enterprise 2.6 and older
Description
Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.
Preconditions for exploitation
SAML support for Apache Guacamole is enabled.
Results of a successful attack
A malicious user may assume the identity of another existing Guacamole user.
Mitigation
Glyptodon Enterprise 2.x has been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Glyptodon Enterprise 1.x does not have support for SAML available and is not affected.
Analysis and CVSS score breakdown
Last updated