CVE-2022-39319: Missing length validation in urbdrc channel in FreeRDP
First published: Wed Nov 16 2022(Updated: )
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <2.9.0 | ||
| =36 | ||
| =37 | ||
| FreeRDP FreeRDP | <2.9.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh
- https://github.com/FreeRDP/FreeRDP/commit/11555828d2cf289b350baba5ad1f462f10b80b76
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/
- https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html
- https://security.gentoo.org/glsa/202401-16
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/
Frequently Asked Questions
What is CVE-2022-39319?
CVE-2022-39319 is a vulnerability in FreeRDP, a remote desktop protocol library and clients, where affected versions are missing input length validation in the urbdrc channel, allowing a malicious server to trick a client into reading out-of-bounds data.
What is the severity of CVE-2022-39319?
CVE-2022-39319 has a severity score of 4.6, categorized as medium severity.
How does CVE-2022-39319 impact FreeRDP?
CVE-2022-39319 impacts FreeRDP by allowing a malicious server to exploit the missing input length validation in the urbdrc channel, potentially causing out-of-bounds data leaks.
How can CVE-2022-39319 be fixed?
CVE-2022-39319 can be fixed by updating to a version of FreeRDP that includes the patch addressing the vulnerability.
Where can I find more information about CVE-2022-39319?
More information about CVE-2022-39319 can be found on the GitHub security advisory page and the Fedora Project announcement.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- vendor/freerdp
- canonical/freerdp freerdp
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37