7.5

CVE-2023-40589

Exploit

FreeRDP Global-Buffer-Overflow in ncrush_decompress

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FreerdpFreerdp Version < 2.11.0
FreerdpFreerdp Version3.0.0 Updatebeta1
FreerdpFreerdp Version3.0.0 Updatebeta2
FedoraprojectFedora Version37
FedoraprojectFedora Version38
FedoraprojectFedora Version39
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.2% 0.641
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html
Third Party Advisory
Mailing List
https://security.gentoo.org/glsa/202401-16
https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416
Patch
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x
Vendor Advisory
Exploit
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6LLDAPEXRDJOM3PREDDD267SSNT77DP/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHMTGKCZXJPQOR5ZD2I4GPDNP2DKRXMF/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OH2ATH2BKDNKCJAU4WPPXK4SHLE3UJUV/
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2025/02/msg00016.html