CVE-2022-39347

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 2.9.0

Description The issue is related to the missing path canonicalization and base path check for the drive channel in FreeRDP, allowing a malicious server to trick a FreeRDP-based client into reading files outside the shared directory. This can enable a remote attacker to gain unauthorized access to protected information. Users unable to upgrade should avoid using the /drive, /drives, or +home-drive redirection switch to minimize the risk.

Recommendations For versions prior to 2.9.0, upgrade to version 2.9.0 or later to address the issue. As a temporary workaround, consider not using the /drive, /drives, or +home-drive redirection switch until a patch is applied.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALSA-2023:2326

ALSA-2023:2851

ALT-PU-2022-3127

ALT-PU-2022-3189

ALT-PU-2022-3199

ALT-PU-2022-3288

BDU:2022-06975

CESA-2023_2851

CVE-2022-39347

DLA-3654-1

DLA-4053-1

GHSA-C5XQ-8V35-PFFG

MGASA-2022-0447

OESA-2022-2112

OPENSUSE-SU-2023_0399-1

RHSA-2023:2326

RHSA-2023:2851

RHSA-2023_2326

RHSA-2023_2851

SUSE-SU-2023:0399-1

SUSE-SU-2023:0400-1

USN-5734-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Freerdp

Linuxmint

Red Hat

Red Os

Suse

Ubuntu

CVE-2022-39347

Weakness Enumeration

Related Identifiers

Affected Products

References · 90