Today > | 5 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-31226

May 16, 2024, 7:15 p.m.

CVSS Score

4.9 / 10

Product(s) Impacted

Sunshine

  • 0.17.0 - 0.22.2

Description

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.

Weaknesses

Date

Published: May 16, 2024, 7:15 p.m.

Last Modified: May 16, 2024, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVSS Data

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

Base Score
4.9
Exploitability Score
Impact Score
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

References

https://github.com/ security-advisories@github.com

https://github.com/ security-advisories@github.com

https://github.com/ security-advisories@github.com