CVE-2024-39917

CVE-2024-39917

Name

CVE-2024-39917

Description

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
MISC	https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

Type

URI

CONFIRM

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

MISC

https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

CPE URI	Source package	Min version	Max version
	xrdp	>= 0	<= 0.10.0

CPE URI

Source package

Min version

Max version

xrdp

>= 0

<= 0.10.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
xrdp	edge-community	0.9.23.1-r0	Alan Lacerda <alacerda@alpinelinux.org>	possibly vulnerable
xrdp	edge-community	0.9.23-r0	Alan Lacerda <alacerda@alpinelinux.org>	possibly vulnerable
xrdp	edge-community	0.9.21.1-r0	Alan Lacerda <alacerda@alpinelinux.org>	possibly vulnerable
xrdp	edge-community	0.9.18.1-r0	Alan Lacerda <alacerda@alpinelinux.org>	possibly vulnerable
xrdp	edge-community	0.9.15-r1	Alan Lacerda <alacerda@alpinelinux.org>	possibly vulnerable
xrdp	edge-community	0.9.13.1-r0	None	possibly vulnerable
xrdp	3.22-community	0.9.23.1-r0	None	possibly vulnerable
xrdp	3.22-community	0.9.23-r0	None	possibly vulnerable
xrdp	3.22-community	0.9.21.1-r0	None	possibly vulnerable
xrdp	3.22-community	0.9.18.1-r0	None	possibly vulnerable
xrdp	3.22-community	0.9.15-r1	None	possibly vulnerable
xrdp	3.22-community	0.9.13.1-r0	None	possibly vulnerable
xrdp	3.20-community	0.9.24-r0	Alan Lacerda <alacerda@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

xrdp

edge-community

0.9.23.1-r0

Alan Lacerda <alacerda@alpinelinux.org>

possibly vulnerable

xrdp

edge-community