Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN411
_____________________________________________________________________

DATE                : 03/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Guacamole version
                                prior to 1.6.0.

=====================================================================
https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70
_____________________________________________________________________

[SECURITY] CVE-2024-35164: Apache Guacamole: Improper input validation
of console codes


Severity: moderate
Base CVSS Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected versions:

- Apache Guacamole 0.8.0 through 1.5.5

Description:

The terminal emulator of Apache Guacamole 1.5.5 and older does not 
properly validate console codes received from servers via text-based 
protocols like SSH. If a malicious user has access to a text-based 
connection, a specially-crafted sequence of console codes could allow 
arbitrary code to be executed with the privileges of the running guacd 
process.

Users are recommended to upgrade to version 1.6.0, which fixes this
issue.

Credit:

We would like to thank Tizian Seehaus (Tibotix) for reporting this
issue.

References:

https://guacamole.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-35164


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================