Vulnerability CVE-2022-39317: Information

Description

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. This issue has been addressed in version 2.9.0. There are no known workarounds for this issue.

Severity: MEDIUM (4.6) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Published: Nov. 17, 2022
Modified: Jan. 12, 2024
Error type identifier: CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
freerdpsisyphus2.9.0-alt12.11.5-alt1ALT-PU-2022-3127-1310190Fixed
freerdpsisyphus_e2k2.9.0-alt12.11.5-alt1ALT-PU-2022-7162-1-Fixed
freerdpsisyphus_mipsel2.9.0-alt12.11.2-alt1ALT-PU-2022-7139-1-Fixed
freerdpsisyphus_riscv642.9.0-alt12.11.2-alt1ALT-PU-2022-7143-1-Fixed
freerdpp102.9.0-alt12.11.5-alt1ALT-PU-2022-3199-1310220Fixed
freerdpp10_e2k2.9.0-alt12.10.0-alt3ALT-PU-2022-7252-1-Fixed
freerdpp92.9.0-alt12.9.0-alt1ALT-PU-2022-3288-1310221Fixed
freerdpp9_mipsel2.9.0-alt12.9.0-alt1ALT-PU-2022-7394-1-Fixed
freerdpc10f12.9.0-alt12.11.5-alt1ALT-PU-2022-3199-1310220Fixed
freerdpc9f22.9.0-alt12.11.5-alt1ALT-PU-2022-3189-1310222Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
      End excliding
      2.9.0

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

      cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*