CVE-2021-41767: 
Apache Guacamole vulnerability analysis and mitigation

Apache Guacamole versions 1.3.0 and older contain a security vulnerability identified as CVE-2021-41767. The vulnerability was discovered by Damian Velardo from Australia and New Zealand Banking Group and was publicly disclosed on January 11, 2022. The issue involves the incorrect inclusion of private tunnel identifiers in non-private details of certain REST responses (Apache Advisory, OSS Security).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and required low privileges. The CVSS v2.0 base score is 4.0 (Medium) with the vector (AV:N/AC:L/Au:S/C:P/I:N/A:N) (NVD).

When exploited, this vulnerability allows an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection. This creates a potential privacy and security breach where users could potentially interfere with or monitor other users' sessions (Apache Advisory).

Users running Apache Guacamole 1.3.0 or older versions should upgrade to a newer version where this vulnerability has been addressed. The issue affects all versions up to and including 1.3.0 (NVD).