CVE-2013-1430
First published: Fri Dec 16 2016(Updated: )
An issue was discovered in xrdp before 0.9.1. When successfully logging in using RDP into an xrdp session, the file ~/.vnc/sesman_${username}_passwd is created. Its content is the equivalent of the user's cleartext password, DES encrypted with a known key.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xrdp | 0.9.9-1+deb10u1 0.9.9-1+deb10u3 0.9.21.1-1~deb11u1 0.9.21.1-1 | |
| xrdp | <=0.8.0 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2013-1430?
CVE-2013-1430 has a medium severity rating due to the exposure of user passwords.
How do I fix CVE-2013-1430?
To mitigate CVE-2013-1430, upgrade xrdp to version 0.9.1 or later.
What kind of attack can exploit CVE-2013-1430?
CVE-2013-1430 can be exploited by an attacker who gains access to the user's file system, retrieving the cleartext password from the created file.
Which versions of xrdp are affected by CVE-2013-1430?
CVE-2013-1430 affects xrdp versions prior to 0.9.1.
Is CVE-2013-1430 a local or remote vulnerability?
CVE-2013-1430 is primarily a local vulnerability, as it requires access to the user's file system.
- collector/security-tracker-debian
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/remedy
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/neutrinolabs
- canonical/xrdp
- version/xrdp/0.8.0
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0