Severity:

High
CVSS v3.1 base score:8.7
CVSS v3.1 vector:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:X/RL:O/RC:C

Software affected

  • Glyptodon Enterprise 2.6 and older

Description

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

Preconditions for exploitation

  • SAML support for Apache Guacamole is enabled.

Results of a successful attack

  • A malicious user may assume the identity of another existing Guacamole user.

Mitigation

Glyptodon Enterprise 2.x has been patched with respect to this vulnerability. Users should evaluate their exposure/risk based on this advisory and plan to upgrade when possible.

Glyptodon Enterprise 1.x does not have support for SAML available and is not affected.

Analysis and CVSS score breakdown

MetricValueComments
Attack VectorNetworkExploiting this vulnerability relies only on communicating with the web application through standard mechanisms, as already exposed by Guacamole's web interface.
Attack ComplexityLowExploiting this vulnerability requires limited technical ability.
Privileges RequiredNoneNo privileges are required to attempt to exploit this vulnerability.
User InteractionNoneAn attacker would require no additional user interaction beyond their own.
ScopeUnchangedThe scope of information obtained does not extend beyond what Guacamole is explicitly designed to provide.
Confidentiality ImpactHighAny information accessible to the user impersonated by the attacker would be accessible.
IntegrityHighAny information writable/modifiable to the user impersonated by the attacker would be accessible.
AvailabilityNoneThe availability of Guacamole and all related services are unaffected.
Remediation LevelOfficial fix availableThe upstream Apache Guacamole project has released a fix via their 1.4.0 release, and this fix has been backported to all affected versions of Glyptodon Enterprise.
Report ConfidenceConfirmedExistence of the vulnerability in Apache Guacamole 1.2.0 and 1.3.0 has been acknowledged by the upstream Apache Guacamole project.