Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain. Mitigation: Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0. References: https://seclists.org/oss-sec/2019/q1/90
Created guacamole tracking bugs for this issue: Affects: fedora-all [bug 1669112]
Created guacamole tracking bugs for this issue: Affects: epel-all [bug 1669120]
Created guacamole-server tracking bugs for this issue: Affects: epel-all [bug 1669122] Affects: fedora-all [bug 1669121]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.