What is CVE-2022-41877?

CVE-2022-41877 is a vulnerability in FreeRDP, a remote desktop protocol library and clients, where affected versions are missing input length validation in the `drive` channel, allowing a malicious server to trick a client into reading out-of-bounds data.

What is the severity of CVE-2022-41877?

The severity of CVE-2022-41877 is medium, with a CVSS score of 4.6.

Which versions of FreeRDP are affected by CVE-2022-41877?

Versions up to and excluding 2.9.0 of FreeRDP are affected by CVE-2022-41877.

How can a malicious server exploit CVE-2022-41877?

A malicious server can exploit CVE-2022-41877 by tricking a FreeRDP client to read out-of-bounds data and send it back to the server.

How can I fix the vulnerability CVE-2022-41877?

To fix the vulnerability CVE-2022-41877, users should update to version 2.9.0 or higher of FreeRDP.

Vulnerability/
CVE-2022-41877

medium

4.6

CWE

119 1284

16/11/2022

12/1/2024

CVE-2022-41877: Missing input length validation in `drive` channel in FreeRDP

First published: Wed Nov 16 2022(Updated: )

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options `/drive`, `+drives` or `+home-drive`.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
FreeRDP FreeRDP	<2.9.0
Fedoraproject Fedora	=36
Fedoraproject Fedora	=37
ubuntu/freerdp2	<2.9.0	2.9.0
ubuntu/freerdp2	<2.2.0+dfsg1-0ubuntu0.18.04.4+	2.2.0+dfsg1-0ubuntu0.18.04.4+
ubuntu/freerdp2	<2.2.0+dfsg1-0ubuntu0.20.04.6	2.2.0+dfsg1-0ubuntu0.20.04.6
ubuntu/freerdp2	<2.6.1+dfsg1-3ubuntu2.5	2.6.1+dfsg1-3ubuntu2.5
debian/freerdp2	<=2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2<=2.3.0+dfsg1-2+deb11u1	2.3.0+dfsg1-2+deb10u4 2.10.0+dfsg1-1 2.11.2+dfsg1-1 2.11.5+dfsg1-1

Remedy

https://github.com/FreeRDP/FreeRDP/commit/6655841cf2a00b764f855040aecb8803cfc5eaba

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-41877?
CVE-2022-41877 is a vulnerability in FreeRDP, a remote desktop protocol library and clients, where affected versions are missing input length validation in the `drive` channel, allowing a malicious server to trick a client into reading out-of-bounds data.
What is the severity of CVE-2022-41877?
The severity of CVE-2022-41877 is medium, with a CVSS score of 4.6.
Which versions of FreeRDP are affected by CVE-2022-41877?
Versions up to and excluding 2.9.0 of FreeRDP are affected by CVE-2022-41877.
How can a malicious server exploit CVE-2022-41877?
A malicious server can exploit CVE-2022-41877 by tricking a FreeRDP client to read out-of-bounds data and send it back to the server.
How can I fix the vulnerability CVE-2022-41877?
To fix the vulnerability CVE-2022-41877, users should update to version 2.9.0 or higher of FreeRDP.

collector/nvd-index
agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/severity
agent/references
agent/remedy
agent/weakness
agent/title
agent/last-modified-date
agent/author
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/description
collector/launchpad-cve
source/Launchpad
agent/tags
collector/nvd-cve
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/freerdp
canonical/freerdp freerdp
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/36
version/fedoraproject fedora/37
package-manager/debian
package-manager/ubuntu