Skip to content

Missing input length validation in `drive` channel

Low
bmiklautz published GHSA-pmv3-wpw4-pw5h Nov 16, 2022

Package

FreeRDP (C)

Affected versions

<= 2.8.1

Patched versions

2.9.0

Description

Impact

Missing input length validation in drive channel
A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server

Patches

2.9.0

Workarounds

Do not use the drive redirection channel - command line options /drive, +drives or +home-drive

Issue Reporter

Reported by 'Team BT5 (BoB 11th)'

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2022-41877

Weaknesses

No CWEs

Credits