====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN026

_____________________________________________________________________

DATE                : 30/01/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Guacamole versions prior to
                                           1.0.0.

=====================================================================
http://mail-archives.us.apache.org/mod_mbox/www-announce/201901.mbox/%3CCALKeL-O+=Rxbd0y+hSB9=Y0N400A8sV2BiKgZfNsjGxZipA-uQ@mail.gmail.com%3E
_____________________________________________________________________

CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie

Versions affected:
Apache Guacamole 0.9.4 through 0.9.14

Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

Credit:
We would like to thank Ross Golder for reporting this issue.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================