Your submission was sent successfully! Close

CVE-2021-41159

Published: 21 October 2021

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections (`/gt:rpc`) fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use `/gt:http` rather than /gt:rdp connections if possible or use a direct connection without a gateway.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
freerdp
Launchpad, Ubuntu, Debian
bionic Needs triage

trusty Ignored
(out of standard support)
upstream Needs triage

xenial Needs triage

freerdp2
Launchpad, Ubuntu, Debian
bionic
Released (2.2.0+dfsg1-0ubuntu0.18.04.2)
focal
Released (2.2.0+dfsg1-0ubuntu0.20.04.2)
hirsute
Released (2.3.0+dfsg1-1ubuntu0.1)
impish
Released (2.3.0+dfsg1-2ubuntu0.1)
jammy
Released (2.3.0+dfsg1-2ubuntu2)
trusty Ignored
(out of standard support)
upstream Needs triage

xenial Ignored
(out of standard support)
Patches:
upstream: https://github.com/FreeRDP/FreeRDP/pull/7366/commits/f0a0683fa6a3f696c4bc5ba88c128bc781c54895
upstream: https://github.com/FreeRDP/FreeRDP/commit/d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5