cbcvebase.
CVE-2024-39917
published 2024-07-12

CVE-2024-39917: xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The…

PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.3th percentile
xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianxrdp< xrdp 0.9.21.1-1+deb12u1 (bookworm)xrdp 0.9.21.1-1+deb12u1 (bookworm)
neutrinolabsxrdp< 0.10.00.10.0
neutrinolabsxrdp<= 0.10.0
neutrinolabsxrdp>= 0 < 0.9.21.1-1~deb11u20.9.21.1-1~deb11u2
neutrinolabsxrdp>= 0 < 0.9.21.1-1+deb12u10.9.21.1-1+deb12u1
neutrinolabsxrdp>= 0 < 0.10.1-10.10.1-1
neutrinolabsxrdp>= 0 < 0.10.1-10.10.1-1
ubuntuxrdp

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.2HIGH
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.