CVE-2024-31226
May 16, 2024, 7:15 p.m.
4.9
Medium
Description
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
Product(s) Impacted
| Product | Versions |
|---|---|
| Sunshine |
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: PHYSICAL
- Attack Complexity: HIGH
- Privileges Required: HIGH
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: HIGH
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
Timeline
Published: May 16, 2024, 7:15 p.m.
Last Modified: May 16, 2024, 7:15 p.m.
Last Modified: May 16, 2024, 7:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security-advisories@github.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.