{"api_version":"1","generated_at":"2026-04-18T04:14:46+00:00","cve":"CVE-2020-4044","urls":{"html":"https://cve.report/CVE-2020-4044","api":"https://cve.report/api/cve/CVE-2020-4044.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-4044","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-4044"},"summary":{"title":"CVE-2020-4044","description":"The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2020-06-30 16:15:00","updated_at":"2020-08-14 21:15:00"},"problem_types":["CWE-121"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00037.html","name":"openSUSE-SU-2020:1200","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1200-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4","name":"https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Local users can perform a buffer overflow attack against the xrdp-sesman service and then impersonate it · Advisory · neutrinolabs/xrdp · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00036.html","name":"openSUSE-SU-2020:0999","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0999-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2020/dsa-4737","name":"DSA-4737","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4737-1 xrdp","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c","name":"https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Merge pull request from GHSA-j9fv-6fwf-p3g4 · neutrinolabs/xrdp@0c791d0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1","name":"https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"Release xrdp v0.9.13.1 · neutrinolabs/xrdp · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00015.html","name":"[debian-lts-announce] 20200809 [SECURITY] [DLA 2319-1] xrdp security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2319-1] xrdp security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-4044","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4044","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"4044","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"neutrinolabs","cpe5":"xrdp","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"4044","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"neutrinolabs","cpe5":"xrdp","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-4044","qid":"199888","title":"Ubuntu Security Notification for xrdp Vulnerability (USN-6469-1)"},{"cve":"CVE-2020-4044","qid":"501332","title":"Alpine Linux Security Update for xrdp"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2020-4044","STATE":"PUBLIC","TITLE":"Local users can perform a buffer overflow attack against the xrdp-sesman service and then impersonate it"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"xrdp","version":{"version_data":[{"version_value":"< 0.9.13.1"}]}}]},"vendor_name":"neutrinolabs"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-121: Stack-based Buffer Overflow"}]}]},"references":{"reference_data":[{"name":"https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4","refsource":"CONFIRM","url":"https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4"},{"name":"https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1","refsource":"MISC","url":"https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.13.1"},{"name":"https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c","refsource":"MISC","url":"https://github.com/neutrinolabs/xrdp/commit/0c791d073d0eb344ee7aaafd221513dc9226762c"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0999","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00036.html"},{"refsource":"DEBIAN","name":"DSA-4737","url":"https://www.debian.org/security/2020/dsa-4737"},{"refsource":"MLIST","name":"[debian-lts-announce] 20200809 [SECURITY] [DLA 2319-1] xrdp security update","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00015.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1200","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00037.html"}]},"source":{"advisory":"GHSA-j9fv-6fwf-p3g4","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2020-06-30 16:15:00","lastModifiedDate":"2020-08-14 21:15:00","problem_types":["CWE-121"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.6},"severity":"MEDIUM","exploitabilityScore":3.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*","versionEndExcluding":"0.9.13.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"4044","Ordinal":"164037","Title":"CVE-2020-4044","CVE":"CVE-2020-4044","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"4044","Ordinal":"1","NoteData":"The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"4044","Ordinal":"2","NoteData":"2020-06-30","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"4044","Ordinal":"3","NoteData":"2020-08-14","Type":"Other","Title":"Modified"}]}}}