CVE-2022-39347
low-risk
Published 2022-11-16
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch.
Do I need to act?
-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.6/10
Low
NETWORK
/ HIGH complexity
Affected Vendors
References (13)
Third Party Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
Third Party Advisory
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
20
/ 100
low-risk
Severity
10/34 · Low
Exploitability
1/34 · Minimal
Exposure
9/34 · Low