Your submission was sent successfully! Close

CVE-2022-24883

Published: 26 April 2022

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
freerdp
Launchpad, Ubuntu, Debian
bionic Needs triage

upstream Needs triage

xenial Needs triage

freerdp2
Launchpad, Ubuntu, Debian
bionic
Released (2.2.0+dfsg1-0ubuntu0.18.04.3)
focal
Released (2.2.0+dfsg1-0ubuntu0.20.04.3)
impish
Released (2.3.0+dfsg1-2ubuntu0.2)
jammy
Released (2.6.1+dfsg1-3ubuntu2.1)
upstream
Released (2.7.0+dfsg1-1)
Patches:
upstream: https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc
upstream: https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144
upstream: https://github.com/FreeRDP/FreeRDP/commit/52f3e5139f7c75258b95ac49f53b8ca49e63f1e2 (2.x)