Your submission was sent successfully! Close

CVE-2021-41159

Published: 21 October 2021

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections (`/gt:rpc`) fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use `/gt:http` rather than /gt:rdp connections if possible or use a direct connection without a gateway.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
freerdp
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(out of standard support)
freerdp2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri)
Released (2.3.0+dfsg1-2ubuntu0.1)
Ubuntu 21.04 (Hirsute Hippo)
Released (2.3.0+dfsg1-1ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.2.0+dfsg1-0ubuntu0.20.04.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.2.0+dfsg1-0ubuntu0.18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(out of standard support)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(out of standard support)
Patches:
Upstream: https://github.com/FreeRDP/FreeRDP/pull/7366/commits/f0a0683fa6a3f696c4bc5ba88c128bc781c54895
Upstream: https://github.com/FreeRDP/FreeRDP/commit/d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5