CVE-2024-39917 - OpenCVE

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Neutrinolabs	Xrdp

Configuration 1 [-]

cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

History

Tue, 04 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

Thu, 05 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Neutrinolabs Neutrinolabs xrdp
CPEs		cpe:2.3:a:neutrinolabs:xrdp::::::::
Vendors & Products		Neutrinolabs Neutrinolabs xrdp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-12T15:24:01.307Z

Updated: 2025-11-03T19:30:23.757Z

Reserved: 2024-07-02T19:37:18.602Z

Link: CVE-2024-39917

Vulnrichment

Updated: 2025-11-03T19:30:23.757Z

NVD

Status : Modified

Published: 2024-07-12T16:15:04.620

Modified: 2025-11-03T20:16:26.580

Link: CVE-2024-39917

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-39917", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-02T19:37:18.602Z", "datePublished": "2024-07-12T15:24:01.307Z", "dateUpdated": "2025-11-03T19:30:23.757Z"}, "containers": {"cna": {"title": "xrdp allows an ininite number of login attempts", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}, {"name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}], "affected": [{"vendor": "neutrinolabs", "product": "xrdp", "versions": [{"version": "<= 0.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-12T15:24:01.307Z"}, "descriptions": [{"lang": "en", "value": "xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. "}], "source": {"advisory": "GHSA-7w22-h4w7-8j5j", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "neutrinolabs", "product": "xrdp", "cpes": ["cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.10.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-12T15:43:14.463299Z", "id": "CVE-2024-39917", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:45:05.246Z"}}, {"title": "CVE Program Container", "references": [{"name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}, {"name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:30:23.757Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:30:23.757Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-12T15:43:14.463299Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*"], "vendor": "neutrinolabs", "product": "xrdp", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.10.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:45:00.904Z"}}], "cna": {"title": "xrdp allows an ininite number of login attempts", "source": {"advisory": "GHSA-7w22-h4w7-8j5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "neutrinolabs", "product": "xrdp", "versions": [{"status": "affected", "version": "<= 0.10.0"}]}], "references": [{"url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "name": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. "}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-12T15:24:01.307Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39917", "state": "PUBLISHED", "dateUpdated": "2025-11-03T19:30:23.757Z", "dateReserved": "2024-07-02T19:37:18.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-12T15:24:01.307Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*", "matchCriteriaId": "86B81D51-A16A-41F1-8DD4-AA5BCDBC72BB", "versionEndExcluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. "}, {"lang": "es", "value": "xrdp es un servidor RDP de c\u00f3digo abierto. Las versiones de xrdp anteriores a la 0.10.0 tienen una vulnerabilidad que permite a los atacantes realizar una cantidad infinita de intentos de inicio de sesi\u00f3n. Se supone que el n\u00famero m\u00e1ximo de intentos de inicio de sesi\u00f3n est\u00e1 limitado por un par\u00e1metro de configuraci\u00f3n `MaxLoginRetry` en `/etc/xrdp/sesman.ini`. Sin embargo, este mecanismo no estaba funcionando eficazmente. Como resultado, xrdp permite una cantidad infinita de intentos de inicio de sesi\u00f3n."}], "id": "CVE-2024-39917", "lastModified": "2025-11-03T20:16:26.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-07-12T16:15:04.620", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "[email protected]", "type": "Primary"}]}