VDB
CVE-2022-24882
CVE-2022-24882
PUBLISHED
CVSS 9.100000381469727 CRITICAL
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds.
EPSS 0.77% · 73.8th percentile
Risk Scores
CVSS v3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.77%
73.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| FreeRDP | FreeRDP | < 2.7.0 |
| freerdp | freerdp | 0 |
| fedoraproject | extra_packages_for_enterprise_linux | 8.0 |
| fedoraproject | fedora | 34, 35, 36 |
Timeline
- Apr 26, 2022 CVE Published
- Apr 26, 2022 PoC Published
- Apr 27, 2022 EPSS Score
- Jun 16, 2022 EPSS Score
- Aug 5, 2022 EPSS Score
- Sep 24, 2022 EPSS Score
- Jan 1, 2023 EPSS Score
- Feb 20, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 11, 2023 EPSS Score
- May 31, 2023 EPSS Score
- Jul 19, 2023 EPSS Score
References
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0 url
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh url
- https://github.com/FreeRDP/FreeRDP/pull/7750 url
- https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/95 url
- FEDORA-2022-dc48a89918 vendor-advisory
- FEDORA-2022-a3e03a200b vendor-advisory
- FEDORA-2022-b0a47f8060 vendor-advisory
- GLSA-202210-24 vendor-advisory
- https://lists.debian.org/debian-lts-announce/2025/02/msg00034.html url