CVE-2022-24883Improper Authentication in Freerdp

CWE-287Improper Authentication6 documents5 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
0.9%
top 23.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FreerdpDebian Freerdp2Fedoraproject Fedora
Timeline
PublishedApr 26
Latest updateJun 6

Description

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDfreerdp/freerdp< 2.7.0
debiandebian/freerdp2< freerdp2 2.7.0+dfsg1-1 (bookworm)

Also affects: Fedora 34, 35, 36

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
freerdp2 vulnerabilities2022-06-06
OSV
CVE-2022-24883: FreeRDP is a free implementation of the Remote Desktop Protocol (RDP)2022-04-26

📋Vendor Advisories

3
Ubuntu
FreeRDP vulnerabilities2022-06-06
Red Hat
freerdp: Server Side Auth Against a SAM File May Succeed for Invalid Creds2022-04-22
Debian
CVE-2022-24883: freerdp2 - FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to ...2022
CVE-2022-24883 — Improper Authentication in Freerdp | cvebase