CVE-2022-39319

Name
CVE-2022-39319
Description
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh
MISC https://github.com/FreeRDP/FreeRDP/commit/11555828d2cf289b350baba5ad1f462f10b80b76
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/
security-advisories@github.com https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html
security-advisories@github.com https://security.gentoo.org/glsa/202401-16

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:* freerdp >= None < 2.9.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
freerdp 3.16-community 2.7.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
freerdp 3.17-community 2.9.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed