CVE-2024-35164
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | guacamole | From 0.8.0 (inc) to 1.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the terminal emulator of Apache Guacamole version 1.5.5 and older, where it does not properly validate console codes received from servers via text-based protocols like SSH. A malicious user with access to a text-based connection could send a specially-crafted sequence of console codes that may allow arbitrary code execution with the privileges of the running guacd process.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary code on the system running the guacd process, potentially leading to unauthorized actions or control over the affected system with the privileges of that process.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Guacamole to version 1.6.0, which fixes this issue.