Merge CVE-2023-43826 vulnerability documentation, fixed in 1.5.4.

apache · Dec 19, 2023 · b0fe635 · b0fe635
2 parents 028ab8b + 3425aea
commit b0fe635
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/_security/CVE-2023-43826.md b/_security/CVE-2023-43826.md
@@ -0,0 +1,15 @@
+---
+title: Integer overflow in handling of VNC image buffers
+cve:   CVE-2023-43826
+fixed: 1.5.4
+---
+
+Apache Guacamole 1.5.3 and older do not consistently ensure that values
+received from a VNC server will not result in integer overflow. If a user
+connects to a malicious or compromised VNC server, specially crafted data could
+result in memory corruption, possibly allowing arbitrary code to be executed
+with the privileges of the running guacd process.
+
+Acknowledgements: We would like to thank Joseph Surin and Matt Jones (Elttam)
+for reporting this issue.
+