Lucene search

K
cve[email protected]CVE-2023-39353
HistoryAug 31, 2023 - 9:15 p.m.

CVE-2023-39353

2023-08-3121:15:08
CWE-125
web.nvd.nist.gov
35
freerdp
rdp
apache license
missing offset validation
out of bound read
vulnerability
nvd
cve-2023-39353

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.1%

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the libfreerdp/codec/rfx.c file there is no offset validation in tile->quantIdxY, tile->quantIdxCb, and tile->quantIdxCr. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners
NVD
Node
freerdpfreerdpRange<2.11.0
OR
freerdpfreerdpRange3.0.0-beta13.0.0-beta3
VendorProductVersionCPE
freerdpfreerdp*cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
freerdpfreerdp*cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "FreeRDP",
    "product": "FreeRDP",
    "versions": [
      {
        "version": "< 2.11.0",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0-beta1, < 3.0.0-beta3",
        "status": "affected"
      }
    ]
  }
]

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.1%