Home > Vulnerability Database > CVE-2020-15103

Mend.io Vulnerability Database

CVE-2020-15103

Date: July 26, 2020

In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a "memcpy") This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto

Language: C

Severity Score

3.5

Related Resources (16)

Url: https://security.alpinelinux.org/vuln/CVE-2020-15103

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y35HBHG2INICLSGCIKNAR7GCXEHQACQ/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOZLH35OJWIQLM7FYDXAP2EAUBDXE76V/

Url: https://access.redhat.com/security/cve/CVE-2020-15103

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15103

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15103

Url: https://github.com/FreeRDP/FreeRDP/pull/6382

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOZLH35OJWIQLM7FYDXAP2EAUBDXE76V/

Url: https://security-tracker.debian.org/tracker/CVE-2020-15103

Url: https://github.com/FreeRDP/FreeRDP/blob/616af2d5b86dc24c7b3e89870dbcffd841d9a535/ChangeLog#L4

Url: https://usn.ubuntu.com/4481-1/

Url: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4r38-6hq7-j3j9

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y35HBHG2INICLSGCIKNAR7GCXEHQACQ/

Url: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00010.html

Url: https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html

Url: https://www.mend.io/vulnerability-database/CVE-2020-15103

Severity Score

3.5

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

Improper Input Validation

CWE-20

Integer Overflow to Buffer Overflow

CWE-680

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15103

Date: July 26, 2020

Language: C

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?