CVE-2022-23613 — Vulnetix

CVE-2022-23613 PUBLISHED CVSS 7.800000190734863 HIGH

xrdp is an open source remote desktop protocol (RDP) server. In affected versions an integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is able to locally access a sesman server to execute code as root. This vulnerability has been patched in version 0.9.18.1 and above. Users are advised to upgrade. There are no known workarounds.

EPSS 0.38% · 59.7th percentile

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.38%

59.7th percentile

Affected Products

Vendor	Product	Versions
fedoraproject	fedora	34, 35
neutrinolabs	xrdp	>= 0.9.17, < 0.9.18.1, 0.9.17, 0.9.18

Timeline

Feb 7, 2022 CVE Published
Feb 8, 2022 EPSS Score
Feb 15, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 24, 2022 EPSS Score
Sep 7, 2022 EPSS Score
Oct 29, 2022 EPSS Score
Dec 20, 2022 EPSS Score
Feb 11, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 4, 2023 EPSS Score
May 26, 2023 EPSS Score

References

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32 url
https://github.com/neutrinolabs/xrdp/commit/4def30ab8ea445cdc06832a44c3ec40a506a0ffa url
FEDORA-2022-4283d4695d vendor-advisory
FEDORA-2022-727e3914e1 vendor-advisory

Open in Interactive Console →