Homepage
About Snyk

Directory Traversal Affecting freerdp package, versions *

Severity

 Recommended
0.0
medium
0
10

Based on Ubuntu security rating

    Threat Intelligence

    EPSS
    0.12% (46th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UBUNTU1604-FREERDP-3124914
  • published 18 Nov 2022
  • disclosed 16 Nov 2022
Report a new vulnerability Found a mistake?

Introduced: 16 Nov 2022

CVE-2022-39347 Open this link in a new tab
CWE-22 Open this link in a new tab

How to fix?

There is no fixed version for Ubuntu:16.04 freerdp.

NVD Description

Note: Versions mentioned in the description apply only to the upstream freerdp package and not the freerdp package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for drive channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the /drive, /drives or +home-drive redirection switch.

References

CVSS Scores

version 3.1
Expand this section

NVD

5.7 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

SUSE

4.8 medium
Expand this section

Red Hat

4.8 medium