CVE-2023-40184

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40184

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40184.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-40184

Aliases

GHSA-f489-557v-47jq

Related

Published

2023-08-30T18:15:09Z

Modified

2024-10-12T11:03:28.463055Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The auth_start_session function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.

References

Affected packages

Debian:11 / xrdp

Package

Name: xrdp
Purl: pkg:deb/debian/xrdp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.12-1.1

0.9.15-1

0.9.17-1

0.9.17-2

0.9.17-2.1

0.9.19-1

0.9.21.1-1~deb11u1

0.9.21.1-1

0.9.24-1

0.9.24-2

0.9.24-3

0.9.24-4

0.9.24-5~bpo12+1

0.9.24-5

0.10.0~beta1-1

0.10.0~beta1-2

0.10.0~beta2-1

0.10.0-1

0.10.0-2

0.10.1-1

0.10.1-2

0.10.1-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / xrdp

Package

Name: xrdp
Purl: pkg:deb/debian/xrdp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.21.1-1

0.9.24-1

0.9.24-2

0.9.24-3

0.9.24-4

0.9.24-5~bpo12+1

0.9.24-5

0.10.0~beta1-1

0.10.0~beta1-2

0.10.0~beta2-1

0.10.0-1

0.10.0-2

0.10.1-1

0.10.1-2

0.10.1-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / xrdp

Package

Name: xrdp
Purl: pkg:deb/debian/xrdp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.24-2

Affected versions

0.*

0.9.21.1-1

0.9.24-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/neutrinolabs/xrdp

Affected ranges

Type: GIT
Repo: https://github.com/neutrinolabs/xrdp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a111a0fdfe2421ef600e40708b5f0168594cfb23

Affected versions

v0.*

v0.9.1

v0.9.10

v0.9.11

v0.9.12

v0.9.13

v0.9.14

v0.9.15

v0.9.16

v0.9.17

v0.9.18

v0.9.2

v0.9.3

v0.9.3.rc1

v0.9.4

v0.9.4.rc1

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9