CVE-2022-24883

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24883
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24883.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-24883
Downstream
Related
Published
2022-04-26T16:15:47Z
Modified
2025-09-19T13:48:20.033553Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a SAM file might be successful for invalid credentials if the server has configured an invalid SAM file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a SAM file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via HashCallback and/or ensure the SAM database path configured is valid and the application has file handles left.

References

Affected packages

Git / github.com/freerdp/freerdp

Affected ranges

Type
GIT
Repo
https://github.com/freerdp/freerdp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
40ee5d3bcc70343af6c0300d71968858c1f1948f
Fixed
4661492e5a617199457c8074bad22f766a116cdc
Fixed
6f473b273a4b6f0cb6aca32b95e22fd0de88e144

Affected versions

1.*

1.0-beta1
1.0-beta2
1.0-beta3
1.0-beta4
1.0-beta5
1.0.0
1.0.1
1.1.0-beta+2013071101
1.1.0-beta1
1.1.0-beta1+android2
1.1.0-beta1+android3
1.1.0-beta1+android4
1.1.0-beta1+android5
1.1.0-beta1+ios1
1.1.0-beta1+ios2
1.1.0-beta1+ios3
1.1.0-beta1+ios4
1.2.0-beta1+android7
1.2.0-beta1+android9

2.*

2.0.0
2.0.0-beta1+android10
2.0.0-beta1+android11
2.0.0-rc0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
2.1.0
2.1.1
2.1.2
2.2.0
2.3.0
2.3.1
2.3.2
2.4.1
2.5.0
2.6.0
2.6.1

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "224512516757722804138651175772322229937",
                "length": 1379.0
            },
            "id": "CVE-2022-24883-171ab148",
            "source": "https://github.com/freerdp/freerdp/commit/4661492e5a617199457c8074bad22f766a116cdc",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "winpr/libwinpr/sspi/NTLM/ntlm_compute.c",
                "function": "ntlm_fetch_ntlm_v2_hash"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "313557563319450212161742967770655894448",
                    "157516988942529962021073580442638419935",
                    "45907852398324664681287398294991153845",
                    "16886696078853460179760986296758181441",
                    "164040800863298129539612746911940751100",
                    "175779120317322390932253524919760470684",
                    "176552729036527822237802318995942340741",
                    "189744341600674932910863258123431846996",
                    "291222831451101847946019713963141642630",
                    "147875847270978974535311025851865514042",
                    "310421608660791645234655808508001463134",
                    "323066027842463209063851507277857901302",
                    "286259475415957499421091828383598123944",
                    "295826782890119120438400305714869524782",
                    "43907154137988246719077606630499898932",
                    "162118985562177859735664266031103330685",
                    "152038228742695229317861500715605322063",
                    "58164673283716893163758104839734498832",
                    "197955755102991386522740022327504901447",
                    "34014620232038892036748451528342412478",
                    "119349460515842251061776050976493062634",
                    "41677250043148110454919757362748397187",
                    "211704911837689973026737699191147581277",
                    "329237516022547994979575673338003234418",
                    "203226458212702422696570647691245883289",
                    "139948483821259328584452835865863285968",
                    "294594475084889492860193236364872908872",
                    "110919828093998515544372855118485524744",
                    "174182105684001863679477618313035507551",
                    "43907154137988246719077606630499898932",
                    "162118985562177859735664266031103330685",
                    "152038228742695229317861500715605322063",
                    "58164673283716893163758104839734498832",
                    "197955755102991386522740022327504901447",
                    "34014620232038892036748451528342412478",
                    "119349460515842251061776050976493062634",
                    "41677250043148110454919757362748397187",
                    "211704911837689973026737699191147581277",
                    "329237516022547994979575673338003234418",
                    "284729441197135541636563418494129395690",
                    "17062292484768571178449548993950666756",
                    "181120942783779215960024302397648387729",
                    "64157616216887885853416030378986122925",
                    "79937381499805010913441097529623027607",
                    "228217654992136040562978661761103284451",
                    "247035438391890309837323494089225014482",
                    "131957302881144990579467461672661565431",
                    "247756776613701878871203386442436591363"
                ]
            },
            "id": "CVE-2022-24883-1a8a96cb",
            "source": "https://github.com/freerdp/freerdp/commit/4661492e5a617199457c8074bad22f766a116cdc",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "winpr/libwinpr/sspi/NTLM/ntlm_compute.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "313557563319450212161742967770655894448",
                    "157516988942529962021073580442638419935",
                    "45907852398324664681287398294991153845",
                    "16886696078853460179760986296758181441",
                    "164040800863298129539612746911940751100",
                    "175779120317322390932253524919760470684",
                    "176552729036527822237802318995942340741",
                    "189744341600674932910863258123431846996",
                    "291222831451101847946019713963141642630",
                    "147875847270978974535311025851865514042",
                    "310421608660791645234655808508001463134",
                    "323066027842463209063851507277857901302",
                    "286259475415957499421091828383598123944",
                    "295826782890119120438400305714869524782",
                    "43907154137988246719077606630499898932",
                    "162118985562177859735664266031103330685",
                    "152038228742695229317861500715605322063",
                    "58164673283716893163758104839734498832",
                    "197955755102991386522740022327504901447",
                    "34014620232038892036748451528342412478",
                    "119349460515842251061776050976493062634",
                    "41677250043148110454919757362748397187",
                    "211704911837689973026737699191147581277",
                    "329237516022547994979575673338003234418",
                    "203226458212702422696570647691245883289",
                    "139948483821259328584452835865863285968",
                    "294594475084889492860193236364872908872",
                    "110919828093998515544372855118485524744",
                    "174182105684001863679477618313035507551",
                    "43907154137988246719077606630499898932",
                    "162118985562177859735664266031103330685",
                    "152038228742695229317861500715605322063",
                    "58164673283716893163758104839734498832",
                    "197955755102991386522740022327504901447",
                    "34014620232038892036748451528342412478",
                    "119349460515842251061776050976493062634",
                    "41677250043148110454919757362748397187",
                    "211704911837689973026737699191147581277",
                    "329237516022547994979575673338003234418",
                    "284729441197135541636563418494129395690",
                    "17062292484768571178449548993950666756",
                    "181120942783779215960024302397648387729",
                    "64157616216887885853416030378986122925",
                    "79937381499805010913441097529623027607",
                    "228217654992136040562978661761103284451",
                    "247035438391890309837323494089225014482",
                    "131957302881144990579467461672661565431",
                    "247756776613701878871203386442436591363"
                ]
            },
            "id": "CVE-2022-24883-6cdb178f",
            "source": "https://github.com/freerdp/freerdp/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "winpr/libwinpr/sspi/NTLM/ntlm_compute.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "224512516757722804138651175772322229937",
                "length": 1379.0
            },
            "id": "CVE-2022-24883-9ba78bec",
            "source": "https://github.com/freerdp/freerdp/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "winpr/libwinpr/sspi/NTLM/ntlm_compute.c",
                "function": "ntlm_fetch_ntlm_v2_hash"
            },
            "deprecated": false
        }
    ]
}