Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-39317

Published: 17 November 2022

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. This issue has been addressed in version 2.9.0. There are no known workarounds for this issue.

Notes

AuthorNote
mdeslaur
malicious server could cause client to crash
same commit as CVE-2022-39316

Priority

Low

Cvss 3 Severity Score

4.6

Score breakdown

Status

Package Release Status
freerdp2
Launchpad, Ubuntu, Debian
focal
Released (2.2.0+dfsg1-0ubuntu0.20.04.4)
jammy
Released (2.6.1+dfsg1-3ubuntu2.3)
kinetic
Released (2.8.1+dfsg1-0ubuntu1.1)
lunar
Released (2.8.1+dfsg1-1ubuntu1)
trusty Ignored
(end of standard support)
xenial Ignored
(end of standard support)
upstream Needs triage

bionic
Released (2.2.0+dfsg1-0ubuntu0.18.04.4)
Patches:
upstream: https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
freerdp
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
xenial Needs triage

bionic Needs triage

focal Does not exist

jammy Does not exist

kinetic Does not exist

upstream Needs triage

Severity score breakdown

Parameter Value
Base score 4.6
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L