Details of VAR-202507-0519

ID

VAR-202507-0519

CVE

CVE-2024-35164

TITLE

Apache Software Foundation of Apache Guacamole Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2024-025890

DESCRIPTION

The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue. Apache Software Foundation of Apache Guacamole Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache Guacamole is a clientless remote desktop gateway from the Apache Foundation. The product supports protocols such as VNC, RDP, and SSH. Apache Guacamole 1.5.5 and earlier versions have an input validation error vulnerability. The vulnerability is caused by improper validation of console codes received based on text protocols. Attackers can exploit this vulnerability to execute arbitrary code

Trust: 2.16

sources: NVD: CVE-2024-35164 // JVNDB: JVNDB-2024-025890 // CNVD: CNVD-2025-16971

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-16971

AFFECTED PRODUCTS

vendor:	apache	model:	guacamole	scope:	gte	version:	0.8.0	Trust: 1.0
vendor:	apache	model:	guacamole	scope:	lt	version:	1.6.0	Trust: 1.0
vendor:	apache	model:	guacamole	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	guacamole	scope:	eq	version:	0.8.0 that's all 1.6.0	Trust: 0.8
vendor:	apache	model:	guacamole	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	guacamole	scope:	lte	version:	<=1.5.5	Trust: 0.6

sources: CNVD: CNVD-2025-16971 // JVNDB: JVNDB-2024-025890 // NVD: CVE-2024-35164

CVSS

SEVERITY

CVSSV2

CVSSV3

security@apache.org:	CVE-2024-35164
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2024-35164
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-35164
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-16971
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-16971
severity:	MEDIUM
baseScore:	6.6
vectorString:	AV:N/AC:H/AU:S/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

security@apache.org:	CVE-2024-35164
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.6
impactScore:	5.2
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-35164
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2024-35164
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-16971 // JVNDB: JVNDB-2024-025890 // NVD: CVE-2024-35164 // NVD: CVE-2024-35164

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-129	Trust: 1.0
problemtype:	Improper validation of array indexes (CWE-129) [ others ]	Trust: 0.8
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-025890 // NVD: CVE-2024-35164

PATCH

title:

Patch for Apache Guacamole Input Validation Error Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/709581

Trust: 0.6

sources: CNVD: CNVD-2025-16971

EXTERNAL IDS

db:	NVD	id:	CVE-2024-35164	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-025890	Trust: 0.8
db:	CNVD	id:	CNVD-2025-16971	Trust: 0.6

sources: CNVD: CNVD-2025-16971 // JVNDB: JVNDB-2024-025890 // NVD: CVE-2024-35164

REFERENCES

url:	https://lists.apache.org/thread/sgs8lplbkrpvd3hrvcnnxh3028h4py70	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2024-35164	Trust: 0.8

sources: CNVD: CNVD-2025-16971 // JVNDB: JVNDB-2024-025890 // NVD: CVE-2024-35164

SOURCES

db:	CNVD	id:	CNVD-2025-16971
db:	JVNDB	id:	JVNDB-2024-025890
db:	NVD	id:	CVE-2024-35164

LAST UPDATE DATE

2025-07-29T23:07:19.726000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-16971	date:	2025-07-28T00:00:00
db:	JVNDB	id:	JVNDB-2024-025890	date:	2025-07-10T02:46:00
db:	NVD	id:	CVE-2024-35164	date:	2025-07-09T15:24:36.757

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-16971	date:	2025-07-16T00:00:00
db:	JVNDB	id:	JVNDB-2024-025890	date:	2025-07-10T00:00:00
db:	NVD	id:	CVE-2024-35164	date:	2025-07-02T12:15:27.770