Missing path sanitation with `drive` channel

Impact

Missing path canonicalization and base path check for drive channel
A malicious server can trick a FreeRDP based client to read files outside the shared directory

Patches

2.9.0

Workarounds

Do not use the /drive, /drives or +home-drive redirection switch

Issue Reporter

Reported by 'Team BT5 (BoB 11th)'

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/FreeRDP/FreeRDP
See https://www.freerdp.com/ for contact details
Email us at security@freerdp.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing path sanitation with `drive` channel

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

Issue Reporter

For more information

Severity

CVE ID

Weaknesses

Credits