{"id":"CVE-2022-24883","summary":"FreeRDP Server authentication might allow invalid credentials to pass","details":"FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.","aliases":["GHSA-qxm3-v2r6-vmwf"],"modified":"2026-04-16T04:32:16.919211699Z","published":"2022-04-26T00:00:00Z","related":["SUSE-SU-2022:2352-1","SUSE-SU-2022:2353-1","SUSE-SU-2022:2354-1","openSUSE-SU-2024:13504-1"],"database_specific":{"cwe_ids":["CWE-287"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24883.json"},"references":[{"type":"WEB","url":"https://github.com/FreeRDP/FreeRDP/releases/tag/2.7.0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00016.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24883.json"},{"type":"ADVISORY","url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AELSWWBAM2YONRPGLWVDY6UNTLJERJYL/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOYKBQOHSRM7JQYUIYUWFOXI2JZ2J5RD/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZWR6KSIKXO4B2TXBB3WH6YTNYHN46OY/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24883"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-24"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc"},{"type":"FIX","url":"https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00010.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freerdp/freerdp","events":[{"introduced":"0"},{"fixed":"40ee5d3bcc70343af6c0300d71968858c1f1948f"}]}],"versions":["1.0-beta1","1.0-beta2","1.0-beta4","1.0-beta5","1.0.0","1.0.1","1.1.0-beta+2013071101","1.1.0-beta1","1.1.0-beta1+android2","1.1.0-beta1+android3","1.1.0-beta1+android4","1.1.0-beta1+android5","1.1.0-beta1+ios1","1.1.0-beta1+ios2","1.1.0-beta1+ios3","1.1.0-beta1+ios4","1.2.0-beta1+android7","1.2.0-beta1+android9","2.0.0","2.0.0-beta1+android10","2.0.0-beta1+android11","2.0.0-rc0","2.0.0-rc1","2.0.0-rc2","2.0.0-rc3","2.0.0-rc4","2.1.0","2.1.1","2.1.2","2.2.0","2.3.0","2.3.1","2.3.2","2.4.1","2.5.0","2.6.0","2.6.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24883.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}