CVE-2022-39318
Published: 17 November 2022
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
Notes
Author | Note |
---|---|
mdeslaur |
malicious server could cause client to crash |
Priority
Status
Package | Release | Status |
---|---|---|
freerdp
Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Needed
|
|
freerdp2
Launchpad, Ubuntu, Debian |
bionic |
Released
(2.2.0+dfsg1-0ubuntu0.18.04.4)
|
focal |
Released
(2.2.0+dfsg1-0ubuntu0.20.04.4)
|
|
jammy |
Released
(2.6.1+dfsg1-3ubuntu2.3)
|
|
kinetic |
Released
(2.8.1+dfsg1-0ubuntu1.1)
|
|
lunar |
Released
(2.8.1+dfsg1-1ubuntu1)
|
|
mantic |
Released
(2.8.1+dfsg1-1ubuntu1)
|
|
noble |
Released
(2.8.1+dfsg1-1ubuntu1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
Patches:
upstream: https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.7 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |