Lucene search

[email protected]NVD:CVE-2024-39917

HistoryJul 12, 2024 - 4:15 p.m.

CVE-2024-39917

2024-07-1216:15:04

CWE-307

[email protected]

web.nvd.nist.gov

xrdp

open source

rdp server

vulnerability

configuration parameter

maxloginretry

sesman.ini

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.7%

JSON

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Affected configurations

Nvd

Node

neutrinolabsxrdpRange<0.10.0

VendorProductVersionCPE
neutrinolabsxrdp*cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
neutrinolabs	xrdp	*	cpe:2.3:a:neutrinolabs:xrdp::::::::

References

github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f

github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.7%

JSON

Related for NVD:CVE-2024-39917

debiancve1 osv1 ubuntucve1 veracode1 vulnrichment1 cve1 alpinelinux1 cvelist1