Unrated severityNVD Advisory· Published Jan 11, 2022· Updated Aug 4, 2024

Private tunnel identifier may be included in the non-private details of active connections

CVE-2021-41767

Description

Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Guacamole 1.3.0 and older may leak a private tunnel identifier via REST responses, enabling authenticated users to interfere with others' active connections.

Vulnerability

Apache Guacamole versions 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses [1]. This affects authenticated users who have permission to access a particular connection; the bug occurs when the server returns information about active connections, exposing the internal tunnel identifier that should remain private.

Exploitation

An attacker must be an authenticated user of Apache Guacamole with permission to access the same connection as the victim. Exploitation requires the attacker to call the vulnerable REST endpoint(s) that return details of active connections, where the private tunnel identifier is inadvertently included in non-private fields [1]. No additional privileges or user interaction beyond authentication are needed.

Impact

If exploited, an attacker can read or interact with another user's active use of the same connection [1]. This can lead to information disclosure (observing another user's session activity) and potential manipulation of the shared connection, depending on the capabilities of the protocol or application being accessed through Guacamole.

Mitigation

Upgrade to Apache Guacamole 1.4.0 or later, which contains the fix for this issue [1]. No workarounds are documented in the available references.

References

security - [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apache/Guacamolellm-fuzzy2 versions
<=1.3.0+ 1 more
- (no CPE)range: <=1.3.0
- (no CPE)range: unspecified
osv-coords2 versions
pkg:bitnami/guacamole pkg:bitnami/guacamole-server
< 1.3.0+ 1 more
- (no CPE)range: < 1.3.0
- (no CPE)range: < 1.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2022/01/11/6mitremailing-listx_refsource_MLIST
lists.apache.org/thread/5l31k4jmzdsfz0xt8osrbl878gb3b7romitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000