CVE-2024-39917

Published: Jul 12, 2024Modified: Nov 3, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Affected (1)

Products: Neutrinolabs: Xrdp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Neutrinolabs Xrdp	Before 0.10.0

Related CWEs

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (5)

https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f

Source: security-advisories@github.com

Patch

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

Source: security-advisories@github.com

Vendor Advisory

https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.