Skip to main content

Sunshine CVE-2024-31226

LOW
Unquoted Search Path or Element (CWE-428)
2024-05-16 security-advisories@github.com
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 16, 2024 - 19:15 nvd
LOW 2.9

DescriptionNVD

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:. Require that all executables be placed in write-protected directories.

AnalysisAI

Sunshine is a self-hosted game stream host for Moonlight. Rated low severity (CVSS 2.9).

Technical ContextAI

This vulnerability is classified under CWE-428. Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:. Require that all executables be placed in write-protected directories. Affected products include: Lizardbyte Sunshine. Version information: through 0.22.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2024-31226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy