CVE-2023-40184 Vulnerability Details

  /     /     /  

CVE-2023-40184 Metadata Quick Info

CVE Published: 30/08/2023 | CVE Updated: 30/09/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: neutrinolabs | Product: xrdp
Status : PUBLISHED

CVE-2023-40184 Description

xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don\'t use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue.

Metrics

CVSS Version: 3.1 | Base Score: 2.6 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* LOW
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* NONE
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-755
CWE Name: CWE-755: Improper Handling of Exceptional Conditions
Source: neutrinolabs

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: