Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-39347

Опубликовано: 16 нояб. 2022
Источник: redhat
CVSS3: 4.8
EPSS Низкий

Описание

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for drive channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the /drive, /drives or +home-drive redirection switch.

A directory traversal issue was discovered in FreeRDP. The vulnerability exists due to missing path canonicalization and base path check for the drive channel. A malicious server can trick a FreeRDP based client to read files outside of the shared directory. This issue allows an attacker to gain access to sensitive information.

Меры по смягчению последствий

Users who are unable to upgrade should not use the /drive, /drives or +home-drive redirection switches.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6freerdpOut of support scope
Red Hat Enterprise Linux 7freerdpOut of support scope
Red Hat Enterprise Linux 8freerdpFixedRHSA-2023:285116.05.2023
Red Hat Enterprise Linux 9freerdpFixedRHSA-2023:232609.05.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2143647freerdp: missing path sanitation with `drive` channel

EPSS

Процентиль: 29%
0.00105
Низкий

4.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-39347

CVSS3: 2.6
ubuntu
почти 3 года назад

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.

nvd логотип

CVE-2022-39347

CVSS3: 2.6
nvd
почти 3 года назад

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.

debian логотип

CVE-2022-39347

CVSS3: 2.6
debian
почти 3 года назад

FreeRDP is a free remote desktop protocol library and clients. Affecte ...

fstec логотип

BDU:2022-06975

CVSS3: 7.5
fstec
почти 3 года назад

Уязвимость канала перенаправления диска реализации протокола удалённого рабочего стола FreeRDP, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

suse-cvrf логотип

SUSE-SU-2023:0400-1

suse-cvrf
больше 2 лет назад

Security update for freerdp

EPSS

Процентиль: 29%
0.00105
Низкий

4.8 Medium

CVSS3