Unrated severityNVD Advisory· Published Jan 11, 2022· Updated Aug 4, 2024

Improper validation of SAML responses

CVE-2021-43999

Description

Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. If SAML support is enabled, this may allow a malicious user to assume the identity of another Guacamole user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Guacamole 1.2.0 and 1.3.0 fail to validate SAML identity provider responses, enabling user impersonation when SAML is enabled.

Vulnerability

Apache Guacamole versions 1.2.0 and 1.3.0 do not properly validate responses received from a SAML identity provider. This vulnerability resides in the SAML authentication module. If SAML support is enabled, the lack of proper validation allows an attacker to manipulate SAML responses. The affected versions are explicitly 1.2.0 and 1.3.0 [1].

Exploitation

An attacker must have network access to the Guacamole server and the ability to intercept or craft SAML responses. The attacker can send a malicious SAML response that claims the identity of another user. No authentication is required beyond the ability to interact with the SAML authentication flow. The attacker does not need prior access to the target user's account [1].

Impact

Successful exploitation allows the attacker to assume the identity of any other Guacamole user. This leads to unauthorized access to the victim's Guacamole session, potentially including remote desktop connections and other resources accessible through Guacamole. The impact is high confidentiality and integrity compromise, as the attacker can perform actions as the impersonated user [1].

Mitigation

The issue is fixed in Apache Guacamole 1.4.0, released on January 11, 2022 [1]. Users should upgrade to version 1.4.0 or later. If upgrading is not immediately possible, disabling SAML authentication is a workaround. No other workarounds are mentioned in the reference [1].

References

security - [SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apache/Guacamolellm-fuzzy2 versions
1.2.0, 1.3.0+ 1 more
- (no CPE)range: 1.2.0, 1.3.0
- (no CPE)range: 1.3.0
osv-coords2 versions
pkg:bitnami/guacamole pkg:bitnami/guacamole-server
>= 1.2.0, <= 1.2.0+ 1 more
- (no CPE)range: >= 1.2.0, <= 1.2.0
- (no CPE)range: >= 1.2.0, <= 1.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2022/01/11/7mitremailing-listx_refsource_MLIST
lists.apache.org/thread/4dt9h5mo4o9rxlgxm3rp8wfqdtdjn2z9mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000