{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-35164", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-05-10T07:46:23.307Z", "datePublished": "2025-07-02T11:23:22.750Z", "dateUpdated": "2025-11-04T21:08:36.862Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Guacamole", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.5.5", "status": "affected", "version": "0.8.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Tizian Seehaus (Tibotix)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed\nwith the privileges of the running guacd process.</div><div><br></div><div>Users are recommended to upgrade to version 1.6.0, which fixes this issue.</div>"}], "value": "The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed\nwith the privileges of the running guacd process.\n\n\n\n\nUsers are recommended to upgrade to version 1.6.0, which fixes this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-02T11:23:22.750Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-05-04T13:09:00.000Z", "value": "Reported to security@guacamole.apache.org"}, {"lang": "en", "time": "2024-05-04T22:48:00.000Z", "value": "Report acknowledged by project"}, {"lang": "en", "time": "2024-05-10T07:44:00.000Z", "value": "Report confirmed by project"}], "title": "Apache Guacamole: Improper input validation of console codes", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-35164"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-03T03:55:32.080Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/07/01/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:08:36.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/07/01/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:08:36.862Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35164", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T13:06:50.250702Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:07:00.302Z"}}], "cna": {"title": "Apache Guacamole: Improper input validation of console codes", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Tizian Seehaus (Tibotix)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Guacamole", "versions": [{"status": "affected", "version": "0.8.0", "versionType": "semver", "lessThanOrEqual": "1.5.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-04T13:09:00.000Z", "value": "Reported to security@guacamole.apache.org"}, {"lang": "en", "time": "2024-05-04T22:48:00.000Z", "value": "Report acknowledged by project"}, {"lang": "en", "time": "2024-05-10T07:44:00.000Z", "value": "Report confirmed by project"}], "references": [{"url": "https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed\nwith the privileges of the running guacd process.\n\n\n\n\nUsers are recommended to upgrade to version 1.6.0, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "<div>The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed\nwith the privileges of the running guacd process.</div><div><br></div><div>Users are recommended to upgrade to version 1.6.0, which fixes this issue.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-07-02T11:23:22.750Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35164", "state": "PUBLISHED", "dateUpdated": "2025-11-04T21:08:36.862Z", "dateReserved": "2024-05-10T07:46:23.307Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-07-02T11:23:22.750Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:guacamole:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4DFA73D-049A-4EC8-87D8-907E13733558", "versionEndExcluding": "1.6.0", "versionStartIncluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed\nwith the privileges of the running guacd process.\n\n\n\n\nUsers are recommended to upgrade to version 1.6.0, which fixes this issue."}, {"lang": "es", "value": "El emulador de terminal de Apache Guacamole 1.5.5 y versiones anteriores no valida correctamente los c\u00f3digos de consola recibidos de servidores mediante protocolos de texto como SSH. Si un usuario malintencionado accede a una conexi\u00f3n de texto, una secuencia de c\u00f3digos de consola especialmente manipulada podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo arbitrario con los privilegios del proceso guacd en ejecuci\u00f3n. Se recomienda actualizar a la versi\u00f3n 1.6.0, que soluciona este problema."}], "id": "CVE-2024-35164", "lastModified": "2025-11-04T22:16:01.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security@apache.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-02T12:15:27.770", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/07/01/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2025-07-06T22:16:24.051469+00:00", "updated": "2025-07-06T22:16:24.051590+00:00", "vendors": ["apache", "apache$PRODUCT$guacamole"]}