Sign-up

ID

VAR-201902-0547


CVE

CVE-2018-1340


TITLE

Apache Guacamole Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2019-001971

DESCRIPTION

Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain. Apache Guacamole Contains an information disclosure vulnerability.Information may be obtained. Apache Guacamole is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Apache Guacamole 0.9.4 through 0.9.14 are vulnerable

Trust: 1.89

sources: NVD: CVE-2018-1340 // JVNDB: JVNDB-2019-001971 // BID: 106768

AFFECTED PRODUCTS

vendor:apachemodel:guacamolescope:lteversion:0.9.14

Trust: 1.0

vendor:apachemodel:guacamolescope:ltversion:1.0.0

Trust: 0.8

vendor:apachemodel:guacamolescope:eqversion:0.9.14

Trust: 0.3

vendor:apachemodel:guacamolescope:eqversion:0.9.4

Trust: 0.3

vendor:apachemodel:guacamolescope:neversion:1.0

Trust: 0.3

sources: BID: 106768 // JVNDB: JVNDB-2019-001971 // NVD: CVE-2018-1340

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-1340
value: HIGH

Trust: 1.0

NVD: CVE-2018-1340
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201901-866
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-1340
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-1340
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2019-001971 // CNNVD: CNNVD-201901-866 // NVD: CVE-2018-1340

PROBLEMTYPE DATA

problemtype:CWE-311

Trust: 1.0

problemtype:CWE-200

Trust: 0.8

sources: JVNDB: JVNDB-2019-001971 // NVD: CVE-2018-1340

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-866

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201901-866

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001971

PATCH
title:[SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookieurl:https://lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979@%3Cannounce.guacamole.apache.org%3E
Trust: 0.8
title:Apache Guacamole Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88940
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-001971 // 
            
            
            
            CNNVD: CNNVD-201901-866

EXTERNAL IDS
db:NVDid:CVE-2018-1340
Trust: 2.7
db:BIDid:106768
Trust: 1.9
db:JVNDBid:JVNDB-2019-001971
Trust: 0.8
db:NSFOCUSid:43902
Trust: 0.6
db:CNNVDid:CNNVD-201901-866
Trust: 0.6
sources:
            
            
            BID: 106768 // 
            
            
            
            JVNDB: JVNDB-2019-001971 // 
            
            
            
            CNNVD: CNNVD-201901-866 // 
            
            
            
            NVD: CVE-2018-1340

REFERENCES
url:http://www.securityfocus.com/bid/106768
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2018-1340
Trust: 1.4
url:https://lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979%40%3cannounce.guacamole.apache.org%3e
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1340
Trust: 0.8
url:https://lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979@%3cannounce.guacamole.apache.org%3e
Trust: 0.6
url:http://www.nsfocus.net/vulndb/43902
Trust: 0.6
url:https://vigilance.fr/vulnerability/apache-guacamole-information-disclosure-via-insecure-cookie-28734
Trust: 0.6
url:https://seclists.org/oss-sec/2019/q1/90
Trust: 0.3
url:http://www.apache.org/
Trust: 0.3
url:http://mail-archives.us.apache.org/mod_mbox/www-announce/201901.mbox/%3ccalkel-o+=rxbd0y+hsb9=y0n400a8sv2bikgzfnsjgxzipa-uq@mail.gmail.com%3e
Trust: 0.3
sources:
            
            
            BID: 106768 // 
            
            
            
            JVNDB: JVNDB-2019-001971 // 
            
            
            
            CNNVD: CNNVD-201901-866 // 
            
            
            
            NVD: CVE-2018-1340

CREDITS
Ross Golder
Trust: 0.9
sources:
            
            
            BID: 106768 // 
            
            
            
            CNNVD: CNNVD-201901-866

SOURCES
db:BIDid:106768
db:JVNDBid:JVNDB-2019-001971
db:CNNVDid:CNNVD-201901-866
db:NVDid:CVE-2018-1340

LAST UPDATE DATE
2024-11-23T23:08:27.379000+00:00

SOURCES UPDATE DATE
db:BIDid:106768date:2019-01-23T00:00:00
db:JVNDBid:JVNDB-2019-001971date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201901-866date:2019-10-23T00:00:00
db:NVDid:CVE-2018-1340date:2024-11-21T03:59:39.510

SOURCES RELEASE DATE
db:BIDid:106768date:2019-01-23T00:00:00
db:JVNDBid:JVNDB-2019-001971date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201901-866date:2019-01-24T00:00:00
db:NVDid:CVE-2018-1340date:2019-02-07T22:29:00.287