This is an automated email from the ASF dual-hosted git repository.

vnick pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/guacamole-website.git


The following commit(s) were added to refs/heads/master by this push:
     new 114e5e1  Document vulnerability CVE-2018-1340, fixed in 1.0.0.
     new c222748  Merge document vulnerability CVE-2018-1340, fixed in 1.0.0.
114e5e1 is described below

commit 114e5e1f8536d1fd30dc21850ccb79edcf753c87
Author: Michael Jumper <mjum...@apache.org>
AuthorDate: Wed Jan 9 22:29:44 2019 -0800

    Document vulnerability CVE-2018-1340, fixed in 1.0.0.
---
 _security/CVE-2018-1340.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/_security/CVE-2018-1340.md b/_security/CVE-2018-1340.md
new file mode 100644
index 0000000..83abb74
--- /dev/null
+++ b/_security/CVE-2018-1340.md
@@ -0,0 +1,13 @@
+---
+title: Secure flag missing from session cookie
+cve:   CVE-2018-1340
+fixed: 1.0.0
+---
+
+Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the
+user's session token. This cookie lacked the "secure" flag, which could allow
+an attacker eavesdropping on the network to intercept the user's session token
+if unencrypted HTTP requests are made to the same domain.
+
+Acknowledgements: We would like to thank Ross Golder for reporting this issue.
+

Reply via email to