CVE-2020-11038Integer Overflow to Buffer Overflow in Freerdp

CWE-680Integer Overflow to Buffer OverflowCWE-190Integer Overflow or Wraparound8 documents6 sources
Severity
5.4MEDIUMNVD
CNA6.9
EPSS
0.2%
top 59.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FreerdpDebian LinuxOpensuse Leap
Timeline
PublishedMay 29
Latest updateJun 17

Description

In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server can manipulate the client to write data out of bound to the previously allocated buffer. This has been patched in 2.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

NVDfreerdp/freerdp< 2.1.0
CVEListV5freerdp/freerdp2.0.0
NVDopensuse/leap15.1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

2
OSV
CVE-2020-11038: In FreeRDP less than or equal to 22020-05-29
CVEList
Integer Overflow to Buffer Overflow in FreeRDP2020-05-29

📋Vendor Advisories

2
Red Hat
freerdp: Integer overflow in VIDEO channel2020-04-09
Debian
CVE-2020-11038: freerdp2 - In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow e...2020

💬Community

3
Bugzilla
CVE-2020-11038 freerdp: Integer overflow in VIDEO channel [fedora-all]2020-06-17
Bugzilla
CVE-2020-11038 freerdp: Integer overflow in VIDEO channel2020-06-17
Bugzilla
CVE-2020-11038 freerdp1.2: freerdp: Integer overflow in VIDEO channel [fedora-all]2020-06-17
CVE-2020-11038 — Integer Overflow to Buffer Overflow | cvebase