Vulnerability Details : CVE-2020-9497
Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection.
Vulnerability category: Input validation
Products affected by CVE-2020-9497
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:guacamole:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-9497
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-9497
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
1.2
|
LOW | AV:L/AC:H/Au:N/C:P/I:N/A:N |
1.9
|
2.9
|
NIST | |
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
0.8
|
3.6
|
NIST |
CWE ids for CVE-2020-9497
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-9497
-
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525
Pulse Security Advisory: SA44525 - 2020-07: Out-of-Cycle Advisory: Multiple Vulnerabilities in Apache Guacamole SoftwareThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html
[SECURITY] [DLA 2435-1] guacamole-server security updateMailing List;Third Party Advisory
-
https://research.checkpoint.com/2020/apache-guacamole-rce/
Would you like some RCE with your Guacamole? - Check Point ResearchThird Party Advisory
-
https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7@%3Cuser.guacamole.apache.org%3E
Re: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVV5K2X4EXSAVUUL7IJ3MUJ3ADWMVSBM/
[SECURITY] Fedora 32 Update: guacamole-server-1.2.0-3.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847@%3Cuser.guacamole.apache.org%3E
RE: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
Re: Apache Software Foundation Security Report: 2020 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E
[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/
[SECURITY] Fedora 33 Update: guacamole-server-1.2.0-3.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E
[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2020 - Pony MailMailing List;Vendor Advisory
Jump to