layout | title | permalink |
page |
Security Reports |
/security/ |
This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.
If you believe you have discovered a security problem in Apache Guacamole, please follow responsible disclosure practices and report discovered security issues privately, either to the private security mailing list of the ASF Security Team or the mailing list, before disclosing or discussing the issue in a public forum.
No. CVE-2023-5129 (aka CVE-2023-4863) deals specifically with decoding WebP images, not encoding.
You would also receive updates to libwebp from your distribution as the library itself is not bundled within Guacamole. If using our Docker images, the images are automatically rebuilt nightly to bring in updates from the maintainer of the base image (Alpine Linux), and a pull of the latest would give you an updated image.
No, CVE-2021-44228 does not affect Apache Guacamole. Guacamole uses Logback as its logging backend, not Log4j.
No. We routinely check for known vulnerabilities in AngularJS and manually verify that Guacamole is not impacted by each.
If you believe a new vulnerability in AngularJS may require specific remediation within Guacamole, please reach out to us by sending an email to and we will investigate promptly. If a potential vulnerability in AngularJS does need to be addressed, we will work with you to issue a release of Guacamole that addresses it.
Releases of Guacamole 1.x will continue to use AngularJS for compatibility, while Guacamole 2.0.0 onward is planned to use Angular (the TypeScript-based framework that supersedes AngularJS).
{% assign releases = site.releases | where: 'released', 'true' | sort: 'date' %} {% for release in releases reversed %}
{% assign reports = | where: 'fixed', release.title | sort: 'title' %}
{% capture title %} Fixed in Apache Guacamole {{ release.title }} {% endcapture %}
{% include cve-list.html title=title reports=reports %}
{% endfor %}
{% assign releases = site.legacy-releases | sort: 'date' %} {% for release in releases reversed %}
{% assign reports = | where: 'fixed', release.title | sort: 'title' %}
{% capture title %} Fixed in Guacamole {{ release.title }} (pre-Apache release) {% endcapture %}
{% include cve-list.html title=title reports=reports %}
{% endfor %}
{% assign reports = | where: 'fixed', '0.6.3' | sort: 'title' %} {% capture title %} Fixed in Guacamole 0.6.3 (pre-Apache release) {% endcapture %} {% include cve-list.html title=title reports=reports %}