Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-39347

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.

Published

2022-11-16T20:15:10.367

Last Modified

2024-11-21T07:18:05.243

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 2.6 (LOW)

Weaknesses

Type: Secondary
CWE-22
Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	freerdp	freerdp	< 2.9.0	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes

References

https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d Patch, Third Party Advisory ([email protected])
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/ ([email protected])
https://security.gentoo.org/glsa/202401-16 ([email protected])
https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDOTAOJBCZKREZJPT6VZ25GESI5T6RBG/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGQN3OWQNHSMWKOF4D35PF5ASKNLC74B/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202401-16 (af854a3a-2127-422b-91ae-364da2661108)