CVE-2020-11997: Inconsistent restriction of connection history visibility
- Glyptodon Enterprise 1.13 and older
- Glyptodon Enterprise 2.1 and older
Apache Guacamole 1.2.0 and older do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.
- Multiple users that share access to the same connections.
- A user with access to a connection is able to see whether other users have accessed that connection, as well as the IP addresses used to access the connection.
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.