Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-39319

Опубликовано: 16 нояб. 2022
Источник: redhat
CVSS3: 3.7
EPSS Низкий

Описание

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the urbdrc channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the /usb redirection switch.

An out-of-bound read vulnerability was discovered in FreeRDP due to improper input length validation in client/data_transfer.c in the urbdrc channel. A malicious server can trigger an out-of-bounds read by tricking a FreeRDP based client to read out-of-bound data and send it back to the server.

Отчет

Do not use the /usb redirection switch.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6freerdpOut of support scope
Red Hat Enterprise Linux 7freerdpOut of support scope
Red Hat Enterprise Linux 8freerdpFixedRHSA-2023:285116.05.2023
Red Hat Enterprise Linux 9freerdpFixedRHSA-2023:232609.05.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-125
https://bugzilla.redhat.com/show_bug.cgi?id=2143645freerdp: missing length validation in urbdrc channel

EPSS

Процентиль: 33%
0.00125
Низкий

3.7 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-39319

CVSS3: 4.6
ubuntu
больше 2 лет назад

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.

nvd логотип

CVE-2022-39319

CVSS3: 4.6
nvd
больше 2 лет назад

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.

debian логотип

CVE-2022-39319

CVSS3: 4.6
debian
больше 2 лет назад

FreeRDP is a free remote desktop protocol library and clients. Affecte ...

fstec логотип

BDU:2022-06973

CVSS3: 9.1
fstec
больше 2 лет назад

Уязвимость канала перенаправления USB (urbdrc) реализации протокола удалённого рабочего стола FreeRDP, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании

suse-cvrf логотип

SUSE-SU-2022:4293-1

suse-cvrf
больше 2 лет назад

Security update for freerdp

EPSS

Процентиль: 33%
0.00125
Низкий

3.7 Low

CVSS3