CVE-2024-39917 - OpenCVE

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Neutrinolabs	Xrdp

Configuration 1 [-]

cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

History

Thu, 05 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Neutrinolabs Neutrinolabs xrdp
CPEs		cpe:2.3:a:neutrinolabs:xrdp::::::::
Vendors & Products		Neutrinolabs Neutrinolabs xrdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-12T15:24:01.307Z

Updated: 2024-08-02T04:33:11.745Z

Reserved: 2024-07-02T19:37:18.602Z

Link: CVE-2024-39917

Vulnrichment

Updated: 2024-08-02T04:33:11.745Z

NVD

Status : Analyzed

Published: 2024-07-12T16:15:04.620

Modified: 2024-09-05T15:43:23.117

Link: CVE-2024-39917

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39917", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-02T19:37:18.602Z", "datePublished": "2024-07-12T15:24:01.307Z", "dateUpdated": "2024-08-02T04:33:11.745Z"}, "containers": {"cna": {"title": "xrdp allows an ininite number of login attempts", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}, {"name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}], "affected": [{"vendor": "neutrinolabs", "product": "xrdp", "versions": [{"version": "<= 0.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-12T15:24:01.307Z"}, "descriptions": [{"lang": "en", "value": "xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. "}], "source": {"advisory": "GHSA-7w22-h4w7-8j5j", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "neutrinolabs", "product": "xrdp", "cpes": ["cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.10.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-12T15:43:14.463299Z", "id": "CVE-2024-39917", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:45:05.246Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.745Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}, {"name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.745Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-12T15:43:14.463299Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*"], "vendor": "neutrinolabs", "product": "xrdp", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.10.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:45:00.904Z"}}], "cna": {"title": "xrdp allows an ininite number of login attempts", "source": {"advisory": "GHSA-7w22-h4w7-8j5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "neutrinolabs", "product": "xrdp", "versions": [{"status": "affected", "version": "<= 0.10.0"}]}], "references": [{"url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. "}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-12T15:24:01.307Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39917", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:33:11.745Z", "dateReserved": "2024-07-02T19:37:18.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-12T15:24:01.307Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*", "matchCriteriaId": "86B81D51-A16A-41F1-8DD4-AA5BCDBC72BB", "versionEndExcluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. "}, {"lang": "es", "value": "xrdp es un servidor RDP de c\u00f3digo abierto. Las versiones de xrdp anteriores a la 0.10.0 tienen una vulnerabilidad que permite a los atacantes realizar una cantidad infinita de intentos de inicio de sesi\u00f3n. Se supone que el n\u00famero m\u00e1ximo de intentos de inicio de sesi\u00f3n est\u00e1 limitado por un par\u00e1metro de configuraci\u00f3n `MaxLoginRetry` en `/etc/xrdp/sesman.ini`. Sin embargo, este mecanismo no estaba funcionando eficazmente. Como resultado, xrdp permite una cantidad infinita de intentos de inicio de sesi\u00f3n."}], "id": "CVE-2024-39917", "lastModified": "2024-09-05T15:43:23.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-12T16:15:04.620", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Secondary"}]}