{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32660", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-16T14:15:26.877Z", "datePublished": "2024-04-23T20:03:28.529Z", "dateUpdated": "2024-08-02T02:13:40.338Z"}, "containers": {"cna": {"title": "FreeRDP zgfx_decompress out of memory vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47"}, {"name": "https://oss-fuzz.com/testcase-detail/5559242514825216", "tags": ["x_refsource_MISC"], "url": "https://oss-fuzz.com/testcase-detail/5559242514825216"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKI4UISUXYNBPN4K6TIQKDRTIJ6CDCKJ/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7SIS6NUNLUBOV4CPCSWKDE6T6C2W3WTR/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PX3U6YPZQ7PEJBVKSBUOLWVH7DHROHY5/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JL476WVJSIE7SBUKVJRVA6A52V2HOLZ/"}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"version": "< 3.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-23T20:04:09.052Z"}, "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available."}], "source": {"advisory": "GHSA-mxv6-2cw6-m3mx", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32660", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-24T13:13:12.257530Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:freerdp:freerdp:-:*:*:*:*:*:*:*"], "vendor": "freerdp", "product": "freerdp", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:50:42.566Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:40.338Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47"}, {"name": "https://oss-fuzz.com/testcase-detail/5559242514825216", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://oss-fuzz.com/testcase-detail/5559242514825216"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKI4UISUXYNBPN4K6TIQKDRTIJ6CDCKJ/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7SIS6NUNLUBOV4CPCSWKDE6T6C2W3WTR/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PX3U6YPZQ7PEJBVKSBUOLWVH7DHROHY5/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JL476WVJSIE7SBUKVJRVA6A52V2HOLZ/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32660", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-16T14:15:26.877Z", "datePublished": "2024-04-23T20:03:28.529Z", "dateUpdated": "2024-04-23T20:04:09.052Z"}, "containers": {"cna": {"title": "FreeRDP zgfx_decompress out of memory vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx"}, {"name": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47", "tags": ["x_refsource_MISC"], "url": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47"}, {"name": "https://oss-fuzz.com/testcase-detail/5559242514825216", "tags": ["x_refsource_MISC"], "url": "https://oss-fuzz.com/testcase-detail/5559242514825216"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKI4UISUXYNBPN4K6TIQKDRTIJ6CDCKJ/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7SIS6NUNLUBOV4CPCSWKDE6T6C2W3WTR/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PX3U6YPZQ7PEJBVKSBUOLWVH7DHROHY5/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JL476WVJSIE7SBUKVJRVA6A52V2HOLZ/"}], "affected": [{"vendor": "FreeRDP", "product": "FreeRDP", "versions": [{"version": "< 3.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-23T20:04:09.052Z"}, "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available."}], "source": {"advisory": "GHSA-mxv6-2cw6-m3mx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32660", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-24T13:13:12.257530Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:freerdp:freerdp:-:*:*:*:*:*:*:*"], "vendor": "freerdp", "product": "freerdp", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-24T13:14:10.443Z"}, "title": "CISA ADP Vulnrichment"}]}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available."}, {"lang": "es", "value": "FreeRDP es una implementaci\u00f3n gratuita del protocolo de escritorio remoto. Antes de la versi\u00f3n 3.5.1, un servidor malicioso pod\u00eda bloquear el cliente FreeRDP al enviar un tama\u00f1o de asignaci\u00f3n enorme no v\u00e1lido. La versi\u00f3n 3.5.1 contiene un parche para el problema. No hay workarounds disponibles."}], "id": "CVE-2024-32660", "lastModified": "2024-06-10T18:15:33.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-23T20:15:07.617", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/FreeRDP/FreeRDP/commit/5e5d27cf310e4c10b854be7667bfb7a5d774eb47"}, {"source": "security-advisories@github.com", "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JL476WVJSIE7SBUKVJRVA6A52V2HOLZ/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7SIS6NUNLUBOV4CPCSWKDE6T6C2W3WTR/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PX3U6YPZQ7PEJBVKSBUOLWVH7DHROHY5/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKI4UISUXYNBPN4K6TIQKDRTIJ6CDCKJ/"}, {"source": "security-advisories@github.com", "url": "https://oss-fuzz.com/testcase-detail/5559242514825216"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9092", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "freerdp-2:2.11.7-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "freerdp: zgfx_decompress out of memory", "id": "2276968", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276968"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available."], "name": "CVE-2024-32660", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "freerdp", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-04-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32660\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32660\nhttps://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxv6-2cw6-m3mx"], "threat_severity": "Low", "upstream_fix": "freerdp 3.5.1"}