CVE-2022-23483: 
xrdp vulnerability analysis and mitigation

xrdp, an open source project providing graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP), was found to contain an Out-of-Bounds Read vulnerability in the libxrdpsendto_channel() function affecting versions prior to v0.9.21. The vulnerability was assigned CVE-2022-23483 and received a CVSS v3.1 base score of 9.1 (Critical) from NIST NVD, while GitHub assessed it with a score of 7.5 (High) (NVD, GitHub Advisory).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) that occurs in the libxrdpsendto_channel() function. The issue affects the core functionality of xrdp's remote desktop protocol implementation. The severity assessment varies between sources, with NIST NVD assigning a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (9.1 Critical), while GitHub's assessment shows CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) (NVD).

The vulnerability could allow attackers to crash the program or extract sensitive information through out-of-bounds reads. The high confidentiality impact rating suggests potential exposure of sensitive data, while the varying availability impact assessments indicate potential system disruption (Ubuntu Notice).

There are no known workarounds for this vulnerability. Users are advised to upgrade to xrdp version 0.9.21 or later. Various Linux distributions have released security updates to address this issue, including Debian (version 0.9.21.1-1~deb11u1) and Ubuntu through their respective security updates (Debian Advisory, GitHub Advisory).