Login Sign Up

CVE-2021-43999

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Apache Guacamole allows attackers to impersonate other users when SAML authentication is enabled. It affects Apache Guacamole 1.2.0 and 1.3.0 installations with SAML support configured. Attackers can bypass authentication controls to gain unauthorized access to remote desktop sessions.

💻 Affected Systems

Products:
  • Apache Guacamole
Versions: 1.2.0 and 1.3.0
Operating Systems: All platforms running Apache Guacamole
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when SAML authentication is enabled and configured.

📦 What is this software?

Guacamole by Apache

View all CVEs affecting Guacamole →

Guacamole by Apache

View all CVEs affecting Guacamole →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Guacamole user accounts, allowing attackers to access sensitive systems and data through remote desktop sessions.

🟠

Likely Case

Unauthorized access to specific user accounts, potentially leading to data theft, lateral movement, or privilege escalation within connected systems.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but authentication bypass still possible for targeted accounts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires SAML authentication to be enabled and the attacker to have some access to manipulate SAML responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0

Vendor Advisory: https://lists.apache.org/thread/4dt9h5mo4o9rxlgxm3rp8wfqdtdjn2z9

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to Apache Guacamole 1.4.0 or later. 3. Restart Guacamole services. 4. Verify SAML authentication is working correctly.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication until patching is possible

Edit guacamole.properties and remove or comment SAML configuration
Restart Guacamole services

🧯 If You Can't Patch

  • Implement network segmentation to isolate Guacamole servers from critical systems
  • Enable detailed logging and monitoring for SAML authentication events and user impersonation attempts

🔍 How to Verify

Check if Vulnerable:

Check Guacamole version and SAML configuration. If version is 1.2.0 or 1.3.0 and SAML is enabled, system is vulnerable.

Check Version:

Check Guacamole web interface or server logs for version information

Verify Fix Applied:

Verify Guacamole version is 1.4.0 or later and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SAML response patterns
  • Multiple authentication attempts from same IP with different user identities
  • User sessions originating from unexpected locations

Network Indicators:

  • Abnormal SAML traffic patterns
  • Authentication requests with manipulated SAML assertions

SIEM Query:

source="guacamole" AND (event_type="authentication" OR event_type="saml") AND (status="failure" OR user_changed="true")

📊 Metadata

CVE ID: CVE-2021-43999
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: January 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43999, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)