[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie
From:       Mike Jumper <mjumper () apache ! org>
Date:       2019-01-23 22:21:30
Message-ID: CALKeL-M8wreyyeUigfN=au1foco8K1fJXDEe-5EEEjXoYzsbiA () mail ! gmail ! com
[Download RAW message or body]

CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Versions affected:
Apache Guacamole 0.9.4 through 0.9.14

Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

Credit:
We would like to thank Ross Golder for reporting this issue.
[prev in list] [next in list] [prev in thread] [next in thread]