CVE-2022-39318: Division by zero in urbdrc channel in FreeRDP
First published: Wed Nov 16 2022(Updated: )
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <2.9.0 | ||
| =36 | ||
| =37 | ||
| FreeRDP FreeRDP | <2.9.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35
- https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/
- https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html
- https://security.gentoo.org/glsa/202401-16
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/
Frequently Asked Questions
What is CVE-2022-39318?
CVE-2022-39318 is a vulnerability in FreeRDP that allows a malicious server to crash a FreeRDP based client with a division by zero error.
What is the severity of CVE-2022-39318?
The severity of CVE-2022-39318 is medium with a CVSS score of 5.7.
Which versions of FreeRDP are affected by CVE-2022-39318?
Affected versions of FreeRDP are up to, but excluding, version 2.9.0.
How can I fix CVE-2022-39318 in FreeRDP?
To fix CVE-2022-39318, update FreeRDP to version 2.9.0 or later.
Is there any additional information available for CVE-2022-39318?
Yes, you can find more information about CVE-2022-39318 in the references provided: [link1], [link2], [link3].
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- vendor/freerdp
- canonical/freerdp freerdp
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37