CVE-2020-15103
3.5
LOW
CVSS 3.1
EPSS 0.26%
Description
In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto
How to fix CVE-2020-15103
To remediate CVE-2020-15103, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.0+dfsg1-1 or later
Is CVE-2020-15103 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.2.0+dfsg1-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L |