CVE-2021-43999: Improper validation of SAML responses

Software affected

Glyptodon Enterprise 2.6 and older

Description

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

Preconditions for exploitation

SAML support for Apache Guacamole is enabled.

Results of a successful attack

A malicious user may assume the identity of another existing Guacamole user.

Mitigation

Glyptodon Enterprise 2.x has been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.

Glyptodon Enterprise 1.x does not have support for SAML available and is not affected.

Analysis and CVSS score breakdown

Metric

Value

Comments

PreviousCVE-2021-41767: Private tunnel identifier may be included in the non-private details of active conne NextAccessibility Conformance

Last updated 1 year ago