CVE-2024-32660 FreeRDP zgfx_decompress out of memory vulnerability

2024-04-2320:03:28

CWE-770

GitHub_M

github.com

freerdp

zgfx_decompress

out of memory

vulnerability

version 3.5.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

10.3%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "FreeRDP",
    "product": "FreeRDP",
    "versions": [
      {
        "version": "< 3.5.1",
        "status": "affected"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:freerdp:freerdp:-:*:*:*:*:*:*:*"
    ],
    "vendor": "freerdp",
    "product": "freerdp",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "3.5.1"
      }
    ],
    "defaultStatus": "unknown"
  }
]