CVE Vulnerability

CVE-2022-23613

xrdp is an open source remote desktop protocol (RDP) server. In affected versions an integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is able to locally access a sesman server to execute code as root. This vulnerability has been patched in version 0.9.18.1 and above. Users are advised to upgrade. There are no known workarounds.

7.2 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/neutrinolabs/xrdp/commit/4def30ab8ea445cdc06832a44c3ec40a506a0ffa Patch Third Party Advisory
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5ONRGARKHGFU2CIEQ7E6M6VJZEM5XWW/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3XGFJNQMNXHBD3J7CBM4YURYEDXROWZ/ Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:neutrinolabs:xrdp:0.9.17:*:*:*:*:*:*:*
cpe:2.3:a:neutrinolabs:xrdp:0.9.18:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Information

Published : 2022-02-07 10:15

Updated : 2022-03-15 04:39

NVD link : CVE-2022-23613

Mitre link : CVE-2022-23613

Products Affected
No products.
CWE
CWE-191

Integer Underflow (Wrap or Wraparound)