CVE-2021-43999: Improper validation of SAML responses

Severity:
High
CVSS v3.1 base score:
8.7
CVSS v3.1 vector:

Software affected

  • Glyptodon Enterprise 2.6 and older

Description

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

Preconditions for exploitation

  • SAML support for Apache Guacamole is enabled.

Results of a successful attack

  • A malicious user may assume the identity of another existing Guacamole user.

Mitigation

Glyptodon Enterprise 2.x has been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.
Glyptodon Enterprise 1.x does not have support for SAML available and is not affected.

Analysis and CVSS score breakdown

Metric
Value
Comments
Attack Vector
Network
Exploiting this vulnerability relies only on communicating with the web application through standard mechanisms, as already exposed by Guacamole's web interface.
Attack Complexity
Low
Exploiting this vulnerability requires limited technical ability.
Privileges Required
None
No privileges are required to attempt to exploit this vulnerability.
User Interaction
None
An attacker would require no additional user interaction beyond their own.
Scope
Unchanged
The scope of information obtained does not extend beyond what Guacamole is explicitly designed to provide.
Confidentiality Impact
High
Any information accessible to the user impersonated by the attacker would be accessible.
Integrity
High
Any information writable/modifiable to the user impersonated by the attacker would be accessible.
Availability
None
The availability of Guacamole and all related services are unaffected.
Remediation Level
Official fix available
The upstream Apache Guacamole project has released a fix via their 1.4.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report Confidence
Confirmed
Existence of the vulnerability in Apache Guacamole 1.2.0 and 1.3.0 has been acknowledged by the upstream Apache Guacamole project.