CVE-2022-24883
FreeRDP Server authentication might allow invalid credentials to pass
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.4EPSS 2.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
26 Apr 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
FreeRDP · FreeRDPWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdchttps://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwfhttps://lists.debian.org/debian-lts-announce/2023/11/msg00010.htmlhttps://lists.debian.org/debian-lts-announce/2025/02/msg00016.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/https://security.gentoo.org/glsa/202210-24