Vulnerability Description
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freerdp | Freerdp | < 2.7.0 |
| Fedoraproject | Fedora | 34 |
Related Weaknesses (CWE)
References
- https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cPatchThird Party Advisory
- https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e1PatchThird Party Advisory
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0Release NotesThird Party Advisory
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwfPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202210-24Third Party Advisory
- https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cPatchThird Party Advisory
- https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e1PatchThird Party Advisory
- https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0Release NotesThird Party Advisory
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwfPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00016.html
FAQ
What is CVE-2022-24883?
CVE-2022-24883 is a vulnerability with a CVSS score of 7.4 (HIGH). FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server...
How severe is CVE-2022-24883?
CVE-2022-24883 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24883?
Check the references section above for vendor advisories and patch information. Affected products include: Freerdp Freerdp, Fedoraproject Fedora.