CVE-2018-1340 – org.apache.guacamole:guacamole-common

Package

Manager: maven
Name: org.apache.guacamole:guacamole-common
Vulnerable Version: >=0 <1.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00633 pctl0.69453

Details

Missing Encryption of Sensitive Data in Apache Guacamole Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.

Metadata

Created: 2022-05-13T01:49:47Z
Modified: 2022-11-03T18:46:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wr7r-vg3c-54r5/GHSA-wr7r-vg3c-54r5.json
CWE IDs: ["CWE-311"]
Alternative ID: GHSA-wr7r-vg3c-54r5
Finding: F020
Auto approve: 1