Details of VAR-202201-0850

ID

VAR-202201-0850

CVE

CVE-2021-43999

TITLE

Apache Guacamole Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-002969

DESCRIPTION

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user. Apache Guacamole There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache Guacamole is a clientless remote desktop gateway of the Apache Foundation. The product supports protocols such as VNC, RDP and SSH. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2021-43999 // JVNDB: JVNDB-2022-002969 // CNVD: CNVD-2022-04989

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-04989

AFFECTED PRODUCTS

vendor:	apache	model:	guacamole	scope:	eq	version:	1.2.0	Trust: 2.4
vendor:	apache	model:	guacamole	scope:	eq	version:	1.3.0	Trust: 2.4
vendor:	apache	model:	guacamole	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-04989 // JVNDB: JVNDB-2022-002969 // NVD: CVE-2021-43999

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-43999
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-43999
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-04989
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-892
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-43999
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-04989
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-43999
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-43999
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-04989 // JVNDB: JVNDB-2022-002969 // CNNVD: CNNVD-202201-892 // NVD: CVE-2021-43999

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-002969 // NVD: CVE-2021-43999

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-892

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202201-892

PATCH

title:	Improper validation of SAML responses	url:	https://lists.apache.org/thread/4dt9h5mo4o9rxlgxm3rp8wfqdtdjn2z9	Trust: 0.8
title:	Patch for Apache Guacamole Authorization Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/314441	Trust: 0.6
title:	Apache Guacamole Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178164	Trust: 0.6

sources: CNVD: CNVD-2022-04989 // JVNDB: JVNDB-2022-002969 // CNNVD: CNNVD-202201-892

EXTERNAL IDS

db:	NVD	id:	CVE-2021-43999	Trust: 3.8
db:	OPENWALL	id:	OSS-SECURITY/2022/01/11/7	Trust: 2.4
db:	JVNDB	id:	JVNDB-2022-002969	Trust: 0.8
db:	CNVD	id:	CNVD-2022-04989	Trust: 0.6
db:	CS-HELP	id:	SB2022011217	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-892	Trust: 0.6

sources: CNVD: CNVD-2022-04989 // JVNDB: JVNDB-2022-002969 // CNNVD: CNNVD-202201-892 // NVD: CVE-2021-43999

REFERENCES

url:	http://www.openwall.com/lists/oss-security/2022/01/11/7	Trust: 2.4
url:	https://lists.apache.org/thread/4dt9h5mo4o9rxlgxm3rp8wfqdtdjn2z9	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43999	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2022011217	Trust: 0.6

sources: CNVD: CNVD-2022-04989 // JVNDB: JVNDB-2022-002969 // CNNVD: CNNVD-202201-892 // NVD: CVE-2021-43999

SOURCES

db:	CNVD	id:	CNVD-2022-04989
db:	JVNDB	id:	JVNDB-2022-002969
db:	CNNVD	id:	CNNVD-202201-892
db:	NVD	id:	CVE-2021-43999

LAST UPDATE DATE

2024-11-23T22:15:58.318000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-04989	date:	2022-01-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-002969	date:	2023-02-01T04:54:00
db:	CNNVD	id:	CNNVD-202201-892	date:	2022-01-17T00:00:00
db:	NVD	id:	CVE-2021-43999	date:	2024-11-21T06:30:10.790

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-04989	date:	2022-01-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-002969	date:	2023-02-01T00:00:00
db:	CNNVD	id:	CNNVD-202201-892	date:	2022-01-11T00:00:00
db:	NVD	id:	CVE-2021-43999	date:	2022-01-11T22:15:07.627