CVE-2022-24882

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds.

Published: Apr 26, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-24882
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
freerdp / freerdp	-	2.7.0
fedoraproject / fedora	34	34.x
fedoraproject / extra_packages_for_enterprise_linux	8.0	8.0.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x

https://github.com/FreeRDP/FreeRDP/pull/7750
https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6x5p-gp49-3jhh
https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/95
https://lists.fedoraproject.org/archives/list/[email protected]/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
https://lists.fedoraproject.org/archives/list/[email protected]/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/
https://lists.fedoraproject.org/archives/list/[email protected]/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/
https://security.gentoo.org/glsa/202210-24

Vulnerability Database

289,599

CVE-2022-24882