Networking

In Apache Guacamole versions 1.5.5 and earlier a high severity vulnerability CVE-2024-35164 was detected. This vulnerability allows a malicious user with access to a text-based connection (such as SSH) to exploit improperly validated console codes, potentially leading to arbitrary code execution with the privileges of the running guacd process. To fix this issue, users should upgrade to version 1.6.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-35164.

In Consul Community Edition versions from 1.9.0 to 1.20.0 and Consul Enterprise versions 1.9.0 up to 1.20.0, 1.19.2, 1.18.4, and 1.15.14 a medium severity vulnerability CVE-2024-10005 was detected. This vulnerability allows attackers to bypass HTTP request path-based access controls in Layer 7 (L7) traffic intentions due to inadequate path normalization, potentially enabling unauthorized access to restricted HTTP paths. To fix this issue, users should upgrade Consul Community Edition to version 1.20.1 and Consul Enterprise to version 1.20.1, 1.19.3, 1.18.5, and 1.15.15. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10005.

In Consul versions 1.9.0 and earlier than 1.20.1 a high severity vulnerability CVE-2024-10005 was detected. This vulnerability allows attackers to bypass HTTP request path-based access rules by using URL paths in L7 traffic intentions. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10005.

In Consul versions 1.4.1 through 1.19.x a medium severity vulnerability CVE-2024-10086 was found. This issue could let attackers misuse user input, potentially causing a reflected XSS attack because the server response doesn’t include a Content-Type HTTP header. Currently, there is no fix for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10086.

In Consul versions 1.9.0 through 1.20.0 a high severity vulnerability CVE-2024-10006 was detected. This vulnerability allows attackers to bypass HTTP header-based access rules by exploiting Headers in L7 traffic intentions. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-10006.