CVE-2022-41877

2022-11-1600:00:00

ubuntu.com

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

4.9 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:N/A:P

0.001 Low

EPSS

Percentile

50.5%

JSON

FreeRDP is a free remote desktop protocol library and clients. Affected
versions of FreeRDP are missing input length validation in drive channel.
A malicious server can trick a FreeRDP based client to read out of bound
data and send it back to the server. This issue has been addressed in
version 2.9.0 and all users are advised to upgrade. Users unable to upgrade
should not use the drive redirection channel - command line options
/drive, +drives or +home-drive.

Notes

Author	Note
mdeslaur	malicious server could cause client to crash

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchfreerdp2< 2.2.0+dfsg1-0ubuntu0.18.04.4+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-onlyUNKNOWN
ubuntu20.04noarchfreerdp2< 2.2.0+dfsg1-0ubuntu0.20.04.6UNKNOWN
ubuntu22.04noarchfreerdp2< 2.6.1+dfsg1-3ubuntu2.5UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	freerdp2	< 2.2.0+dfsg1-0ubuntu0.18.04.4+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only	UNKNOWN
ubuntu	20.04	noarch	freerdp2	< 2.2.0+dfsg1-0ubuntu0.20.04.6	UNKNOWN
ubuntu	22.04	noarch	freerdp2	< 2.6.1+dfsg1-3ubuntu2.5	UNKNOWN