CVE-2020-11041

low-risk

Published 2020-05-29

In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0.

Do I need to act?

0.17% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.2/10 Low

NETWORK / HIGH complexity

Affected Products (3)

Freerdp

Leap

Debian Linux

Affected Vendors

Debian Opensuse Freerdp

References (6)

Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00080.html

Third Party Advisory https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w

Mailing List https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html

Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00080.html

Third Party Advisory https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w

Mailing List https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html

/ 100

low-risk

Severity 9/34 · Low

Exploitability 1/34 · Minimal

Exposure 9/34 · Low