CVE-2020-11041

In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
2.2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
freerdpfreerdp
𝑥
< 2.1.0
opensuseleap
15.1
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
freerdp2
bullseye
2.3.0+dfsg1-2+deb11u1
fixed
bookworm
2.10.0+dfsg1-1
fixed
sid
2.11.7+dfsg1-4
fixed
trixie
2.11.7+dfsg1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
freerdp
focal
dne
eoan
dne
bionic
not-affected
xenial
not-affected
trusty
dne
freerdp2
focal
Fixed 2.1.1+dfsg1-0ubuntu0.20.04.1
released
eoan
Fixed 2.1.1+dfsg1-0ubuntu0.19.10.1
released
bionic
Fixed 2.1.1+dfsg1-0ubuntu0.18.04.1
released
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00080.html
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w
https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00080.html
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w
https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html