CVE-2024-39917

Published: Jul 12, 2024

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Vendor	Product	Versions
neutrinolabs	xrdp	affected `<= 0.10.0`

Weaknesses (CWE)

CWE-307

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

Low

References

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

x_refsource_CONFIRM

https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-39917

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References