The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed
with the privileges of the running guacd process.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 09 Jul 2025 15:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Apache Apache guacamole | |
| Weaknesses | NVD-CWE-noinfo | |
| CPEs | cpe:2.3:a:apache:guacamole:*:*:*:*:*:*:*:* | |
| Vendors & Products | Apache Apache guacamole | 
Wed, 02 Jul 2025 13:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Wed, 02 Jul 2025 11:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue. | |
| Title | Apache Guacamole: Improper input validation of console codes | |
| Weaknesses | CWE-129 | |
| References |  | |
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: apache
Published: 2025-07-02T11:23:22.750Z
Updated: 2025-07-03T03:55:32.080Z
Reserved: 2024-05-10T07:46:23.307Z
Link: CVE-2024-35164
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-07-02T13:07:00.302Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2025-07-02T12:15:27.770
Modified: 2025-07-09T15:24:36.757
Link: CVE-2024-35164
 Redhat
                        Redhat
                    No data.
 ReportizFlow
ReportizFlow