{ "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-9497", "ASSIGNER": "security@apache.org", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "n/a", "product": { "product_data": [ { "product_name": "Apache Guacamole", "version": { "version_data": [ { "version_value": "Apache Guacamole 1.1.0 and older" } ] } } ] } } ] } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "refsource": "MISC", "name": "https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E", "url": "https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E" }, { "refsource": "MLIST", "name": "[announce] 20200701 [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels", "url": "https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E" }, { "refsource": "MLIST", "name": "[guacamole-user] 20200703 Re: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels", "url": "https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7@%3Cuser.guacamole.apache.org%3E" }, { "refsource": "MLIST", "name": "[guacamole-user] 20200703 RE: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels", "url": "https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847@%3Cuser.guacamole.apache.org%3E" }, { "refsource": "MISC", "name": "https://research.checkpoint.com/2020/apache-guacamole-rce/", "url": "https://research.checkpoint.com/2020/apache-guacamole-rce/" }, { "refsource": "CONFIRM", "name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525", "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44525" }, { "refsource": "MLIST", "name": "[debian-lts-announce] 20201106 [SECURITY] [DLA 2435-1] guacamole-server security update", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html" }, { "refsource": "FEDORA", "name": "FEDORA-2020-bfde0ab889", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVV5K2X4EXSAVUUL7IJ3MUJ3ADWMVSBM/" }, { "refsource": "FEDORA", "name": "FEDORA-2020-640645e518", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNS7UHBOFV6JHWH5XOEZTE3BREGRSSQ3/" }, { "refsource": "MLIST", "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E" }, { "refsource": "MLIST", "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E" } ] }, "description": { "description_data": [ { "lang": "eng", "value": "Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection." } ] } }