Vulnerability CVE-2022-39318: Information

Description

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.

Severity: MEDIUM (5.7) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-39318
Published: Nov. 17, 2022
Modified: Jan. 12, 2024
Error type identifier: CWE-20CWE-369

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
freerdpsisyphus2.9.0-alt12.11.7-alt2ALT-PU-2022-3127-1310190Fixed
freerdpsisyphus_e2k2.9.0-alt12.11.7-alt2ALT-PU-2022-7162-1-Fixed
freerdpsisyphus_riscv642.9.0-alt12.11.7-alt2ALT-PU-2022-7143-1-Fixed
freerdpp102.9.0-alt12.11.7-alt2ALT-PU-2022-3199-1310220Fixed
freerdpp10_e2k2.9.0-alt12.11.7-alt2ALT-PU-2022-7252-1-Fixed
freerdpp92.9.0-alt12.9.0-alt1ALT-PU-2022-3288-1310221Fixed
freerdpc10f12.9.0-alt12.11.6-alt1ALT-PU-2022-3199-1310220Fixed
freerdpc9f22.9.0-alt12.11.6-alt1ALT-PU-2022-3189-1310222Fixed
freerdpp112.9.0-alt12.11.7-alt2ALT-PU-2022-3127-1310190Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35
  • Third Party Advisory
https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
  • Patch
  • Third Party Advisory
FEDORA-2022-fd6e43dec8
    FEDORA-2022-076b1c9978
      [debian-lts-announce] 20231117 [SECURITY] [DLA 3654-1] freerdp2 security update
        GLSA-202401-16

            1. Configuration 1

              cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
              End excliding
              2.9.0

              Configuration 2

              cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
              cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
          VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
          Version: v24.5.3
          Back to top