On Mon, Aug 29, 2022 at 12:40 PM Sean Hulbert <[email protected]> wrote:
> Hello, > > > > We did a light weight scan of the Guacamole system 1.3.0 and 1.4.0 > It will not be useful to scan anything but the latest release (1.4.0). Any finding from scanning an older release that does not apply to the current release would be remediated by upgrading. This is the results we got. > Going forward, please report any security-related findings to the private [email protected] list in favor of posting to a public list. See: https://guacamole.apache.org/security/ The discussion can always be moved to a public list after analysis has determined that no action is needed on our part. My question is are you aware and is it documented for remediation ? > They are not applicable. Each of the findings noted relate only to versions of JavaScript libraries that are not present in the current release of Guacamole (1.4.0): - CVE-2018-16487 (applies only to Lodash < 4.17.11, whereas Guacamole uses 4.17.21) - CVE-2019-10744 (applies only to Lodash < 4.17.12, whereas Guacamole uses 4.17.21) - CVE-2019-11358 (applies only to jQuery < 3.4.0, whereas Guacamole uses 3.6.0) - CVE-2020-8203 (applies only to Lodash < 4.17.20, whereas Guacamole uses 4.17.21) - CVE-2020-11022 (applies only to jQuery < 3.5.0, whereas Guacamole uses 3.6.0) - CVE-2020-11023 (applies only to jQuery < 3.5.0, whereas Guacamole uses 3.6.0) - CVE-2020-28500 (applies only to Lodash < 4.17.21, whereas Guacamole uses 4.17.21) - CVE-2021-23337 (applies only to Lodash < 4.17.21, whereas Guacamole uses 4.17.21) IIRC, the above also would not apply as neither jQuery nor Lodash are used by Guacamole in the processing of untrusted data, but we are mercifully saved from performing an in-depth analysis by the fact that the relevant versions are not used by the current Guacamole release. ;) - Mike
