CVE-2022-23613

Name
CVE-2022-23613
Description
xrdp is an open source remote desktop protocol (RDP) server. In affected versions an integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is able to locally access a sesman server to execute code as root. This vulnerability has been patched in version 0.9.18.1 and above. Users are advised to upgrade. There are no known workarounds.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/neutrinolabs/xrdp/commit/4def30ab8ea445cdc06832a44c3ec40a506a0ffa
CONFIRM https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5ONRGARKHGFU2CIEQ7E6M6VJZEM5XWW/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3XGFJNQMNXHBD3J7CBM4YURYEDXROWZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3XGFJNQMNXHBD3J7CBM4YURYEDXROWZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5ONRGARKHGFU2CIEQ7E6M6VJZEM5XWW/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:neutrinolabs:xrdp:0.9.17:*:*:*:*:*:*:* xrdp == None == 0.9.17
cpe:2.3:a:neutrinolabs:xrdp:0.9.18:*:*:*:*:*:*:* xrdp == None == 0.9.18

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
xrdp 3.15-community 0.9.18.1-r0 Alan Lacerda <alacerda@alpinelinux.org> fixed
xrdp 3.16-community 0.9.18.1-r0 Alan Lacerda <alacerda@alpinelinux.org> fixed