CVE-2022-39316

2022-11-1700:00:00

ubuntu.com

freerdp

remote desktop protocol

out of bound read

zgfx decoder

malicious server

upgrade

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.4%

JSON

FreeRDP is a free remote desktop protocol library and clients. In affected
versions there is an out of bound read in ZGFX decoder component of
FreeRDP. A malicious server can trick a FreeRDP based client to read out of
bound data and try to decode it likely resulting in a crash. This issue has
been addressed in the 2.9.0 release. Users are advised to upgrade.

Notes

Author	Note
mdeslaur	malicious server could cause client to crash

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchfreerdp2< 2.2.0+dfsg1-0ubuntu0.18.04.4UNKNOWN
ubuntu20.04noarchfreerdp2< 2.2.0+dfsg1-0ubuntu0.20.04.4UNKNOWN
ubuntu22.04noarchfreerdp2< 2.6.1+dfsg1-3ubuntu2.3UNKNOWN
ubuntu22.10noarchfreerdp2< 2.8.1+dfsg1-0ubuntu1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	freerdp2	< 2.2.0+dfsg1-0ubuntu0.18.04.4	UNKNOWN
ubuntu	20.04	noarch	freerdp2	< 2.2.0+dfsg1-0ubuntu0.20.04.4	UNKNOWN
ubuntu	22.04	noarch	freerdp2	< 2.6.1+dfsg1-3ubuntu2.3	UNKNOWN
ubuntu	22.10	noarch	freerdp2	< 2.8.1+dfsg1-0ubuntu1.1	UNKNOWN