CVE-2024-39917

2024-07-1200:00:00

ubuntu.com

xrdp

rdp server

vulnerability

infinite login attempts

configuration parameter

sesman.ini

unix

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

39.7%

JSON

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a
vulnerability that allows attackers to make an infinite number of login
attempts. The number of max login attempts is supposed to be limited by a
configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However,
this mechanism was not effectively working. As a result, xrdp allows an
infinite number of login attempts.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchxrdp< anyUNKNOWN
ubuntu20.04noarchxrdp< anyUNKNOWN
ubuntu22.04noarchxrdp< anyUNKNOWN
ubuntu24.04noarchxrdp< anyUNKNOWN
ubuntu14.04noarchxrdp< anyUNKNOWN
ubuntu16.04noarchxrdp< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	xrdp	< any	UNKNOWN
ubuntu	20.04	noarch	xrdp	< any	UNKNOWN
ubuntu	22.04	noarch	xrdp	< any	UNKNOWN
ubuntu	24.04	noarch	xrdp	< any	UNKNOWN
ubuntu	14.04	noarch	xrdp	< any	UNKNOWN
ubuntu	16.04	noarch	xrdp	< any	UNKNOWN