Bug 1923136 (CVE-2020-11997)

Summary: CVE-2020-11997 guacamole-server: inconsistent history access restriction may lead to IP adress disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chase9, negativo17, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:29:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1923137    
Bug Blocks:    

Description Marian Rehak 2021-02-01 13:27:24 UTC 
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.

Upstream Reference:

https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3Cannounce.guacamole.apache.org%3E
Comment 1 Marian Rehak 2021-02-01 13:27:39 UTC 
Created guacamole-server tracking bugs for this issue:

Affects: epel-7 [bug 1923137]
Comment 2 Robert Scheck 2021-02-01 14:11:37 UTC 
Not sure why a tracking bug was filed, guacamole-server-1.3.0-1.el7 is in EPEL 7 for 14+ days now via https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-0d2625d3b1