CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active conne
- Glyptodon Enterprise 1.15 and older
- Glyptodon Enterprise 2.5 and older
Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.
- Multiple users that share access to the same connections, which are (1) already in use and (2) originally established using the HTTP tunnel instead of WebSocket.
- A user with access to a connection that is already in use by another user via the HTTP tunnel is able to read instantaneous blocks of transmitted connection data, as well as transmit data over that connection.
Both Glyptodon Enterprise 1.x and 2.x have been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.