Details of VAR-202007-1187

ID

VAR-202007-1187

CVE

CVE-2020-9497

TITLE

Apache Guacamole Vulnerability regarding information leakage in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007363

DESCRIPTION

Apache Guacamole 1.1.0 and older do not properly validate datareceived from RDP servers via static virtual channels. If a userconnects to a malicious or compromised RDP server, specially-craftedPDUs could result in disclosure of information within the memory ofthe guacd process handling the connection. Apache Guacamole There is an information leakage vulnerability in.Information may be obtained. Apache Guacamole is a clientless remote desktop gateway of the Apache Software Foundation. The product supports protocols such as VNC, RDP and SSH. Attackers can use this vulnerability to obtain information with the help of specially crafted PDUs

Trust: 2.16

sources: NVD: CVE-2020-9497 // JVNDB: JVNDB-2020-007363 // CNVD: CNVD-2020-41807

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-41807

AFFECTED PRODUCTS

vendor:	fedoraproject	model:	fedora	scope:	eq	version:	33	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	apache	model:	guacamole	scope:	lte	version:	1.1.0	Trust: 1.0
vendor:	apache	model:	guacamole	scope:	eq	version:	1.1.0	Trust: 0.8
vendor:	apache	model:	guacamole	scope:	lte	version:	<=1.1.0	Trust: 0.6

sources: CNVD: CNVD-2020-41807 // JVNDB: JVNDB-2020-007363 // NVD: CVE-2020-9497

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-9497
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-007363
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-41807
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202007-135
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-9497
severity:	LOW
baseScore:	1.2
vectorString:	AV:L/AC:H/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007363
severity:	LOW
baseScore:	1.2
vectorString:	AV:L/AC:H/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-41807
severity:	LOW
baseScore:	1.2
vectorString:	AV:L/AC:H/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-9497
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007363
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-41807 // JVNDB: JVNDB-2020-007363 // CNNVD: CNNVD-202007-135 // NVD: CVE-2020-9497

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	CWE-200	Trust: 0.8

sources: JVNDB: JVNDB-2020-007363 // NVD: CVE-2020-9497

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202007-135

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202007-135

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007363

PATCH

title:	Re: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels	url:	https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7@%3Cuser.guacamole.apache.org%3E	Trust: 0.8
title:	RE: [SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels	url:	https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847@%3Cuser.guacamole.apache.org%3E	Trust: 0.8
title:	[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels (r3f071d)	url:	https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3Cannounce.apache.org%3E	Trust: 0.8
title:	[SECURITY] CVE-2020-9497: Apache Guacamole: Improper input validation of RDP static virtual channels (r65f75d3)	url:	https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3Cannounce.guacamole.apache.org%3E	Trust: 0.8
title:	Patch for Apache Guacamole Information Disclosure Vulnerability (CNVD-2020-41807)	url:	https://www.cnvd.org.cn/patchInfo/show/226399	Trust: 0.6
title:	Apache Guacamole Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=123280	Trust: 0.6

sources: CNVD: CNVD-2020-41807 // JVNDB: JVNDB-2020-007363 // CNNVD: CNNVD-202007-135

EXTERNAL IDS

db:	NVD	id:	CVE-2020-9497	Trust: 3.0
db:	PULSESECURE	id:	SA44525	Trust: 1.6
db:	JVNDB	id:	JVNDB-2020-007363	Trust: 0.8
db:	CNVD	id:	CNVD-2020-41807	Trust: 0.6
db:	NSFOCUS	id:	47097	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3925	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2288	Trust: 0.6
db:	CNNVD	id:	CNNVD-202007-135	Trust: 0.6

sources: CNVD: CNVD-2020-41807 // JVNDB: JVNDB-2020-007363 // CNNVD: CNNVD-202007-135 // NVD: CVE-2020-9497

REFERENCES

url:	https://research.checkpoint.com/2020/apache-guacamole-rce/	Trust: 2.2
url:	https://lists.apache.org/thread.html/r65f75d3d65d1af68141f42071ebb27dda24af3e45570e593c1dbd81f%40%3cannounce.guacamole.apache.org%3e	Trust: 1.6
url:	https://lists.debian.org/debian-lts-announce/2020/11/msg00010.html	Trust: 1.6
url:	https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44525	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9497	Trust: 1.4
url:	https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f%40%3cannounce.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7%40%3cuser.guacamole.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/tvv5k2x4exsavuul7ij3muj3adwmvsbm/	Trust: 1.0
url:	https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3cannounce.apache.org%3e	Trust: 1.0
url:	https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847%40%3cuser.guacamole.apache.org%3e	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wns7uhbofv6jhwh5xoezte3bregrssq3/	Trust: 1.0
url:	https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3cannounce.apache.org%3e	Trust: 1.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9497	Trust: 0.8
url:	https://lists.apache.org/thread.html/r181b1d5b1acb31cfa69f41b2c86ed3a2cb0b5bc09c2cbd31e9e7c847@%3cuser.guacamole.apache.org%3e	Trust: 0.6
url:	https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3cannounce.apache.org%3e	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wns7uhbofv6jhwh5xoezte3bregrssq3/	Trust: 0.6
url:	https://lists.apache.org/thread.html/r066543f0565e97b27c0dfe27e93e8a387b99e1e35764000224ed96e7@%3cuser.guacamole.apache.org%3e	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/tvv5k2x4exsavuul7ij3muj3adwmvsbm/	Trust: 0.6
url:	https://lists.apache.org/thread.html/r3f071de70ea1facd3601e0fa894e6cadc960627ee7199437b5a56f7f@%3cannounce.apache.org%3e	Trust: 0.6
url:	https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3cannounce.apache.org%3e	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3925/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/apache-guacamole-information-disclosure-via-rdp-server-32745	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/47097	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2288/	Trust: 0.6

sources: CNVD: CNVD-2020-41807 // JVNDB: JVNDB-2020-007363 // CNNVD: CNNVD-202007-135 // NVD: CVE-2020-9497

SOURCES

db:	CNVD	id:	CNVD-2020-41807
db:	JVNDB	id:	JVNDB-2020-007363
db:	CNNVD	id:	CNNVD-202007-135
db:	NVD	id:	CVE-2020-9497

LAST UPDATE DATE

2024-11-23T22:11:26.026000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-41807	date:	2020-07-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-007363	date:	2020-08-11T00:00:00
db:	CNNVD	id:	CNNVD-202007-135	date:	2021-02-25T00:00:00
db:	NVD	id:	CVE-2020-9497	date:	2024-11-21T05:40:46.530

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-41807	date:	2020-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-007363	date:	2020-08-11T00:00:00
db:	CNNVD	id:	CNNVD-202007-135	date:	2020-07-02T00:00:00
db:	NVD	id:	CVE-2020-9497	date:	2020-07-02T13:15:10.997