VDB
CVE-2022-24883
CVE-2022-24883
PUBLISHED
CVSS 7.400000095367432 HIGH
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
EPSS 1.27% · 79.8th percentile
Risk Scores
CVSS v3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
1.27%
79.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| fedoraproject | fedora | 34, 35, 36 |
| FreeRDP | FreeRDP | < 2.7.0 |
| freerdp | freerdp | 0 |
Timeline
- Apr 26, 2022 CVE Published
- Apr 26, 2022 PoC Published
- Apr 27, 2022 EPSS Score
- Jun 16, 2022 EPSS Score
- Aug 5, 2022 EPSS Score
- Nov 13, 2022 EPSS Score
- Dec 29, 2022 EPSS Score
- Jan 1, 2023 EPSS Score
- Feb 20, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 11, 2023 EPSS Score
- May 31, 2023 EPSS Score
References
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf url
- https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc url
- https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144 url
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0 url
- FEDORA-2022-dc48a89918 vendor-advisory
- FEDORA-2022-a3e03a200b vendor-advisory
- FEDORA-2022-b0a47f8060 vendor-advisory
- GLSA-202210-24 vendor-advisory
- [debian-lts-announce] 20231117 [SECURITY] [DLA 3654-1] freerdp2 security update mailing-list
- https://lists.debian.org/debian-lts-announce/2025/02/msg00016.html url