CVE-2023-43826: 
Apache Guacamole vulnerability analysis and mitigation

Apache Guacamole versions 1.5.3 and older were found to contain an integer overflow vulnerability in the handling of VNC image buffers. The vulnerability was discovered on September 22, 2023, and was assigned CVE-2023-43826. The issue was officially disclosed on December 19, 2023, after a fix was released in version 1.5.4 (OSS Security, NVD).

The vulnerability stems from inconsistent validation of values received from VNC servers, which could lead to integer overflow conditions. The issue has been assigned CWE-190 (Integer Overflow or Wraparound). The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Apache Software Foundation rated it at 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could result in memory corruption when a user connects to a malicious or compromised VNC server. The impact could potentially allow arbitrary code execution with the privileges of the running guacd process (NVD).

Users are strongly recommended to upgrade to Apache Guacamole version 1.5.4, which contains the fix for this vulnerability. The fix was completed and merged on October 26, 2023, tested and confirmed by the reporter on October 27, 2023, and officially released on December 8, 2023 (OSS Security).

The vulnerability was responsibly disclosed by security researchers Joseph Surin and Matt Jones from Elttam. The Apache Guacamole team acknowledged and confirmed the report on the same day it was received, demonstrating prompt response to security issues (OSS Security).