Description

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.

INFO

Published Date :

2024-05-16T18:12:57.081Z

Last Modified :

2024-08-15T14:28:39.036Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-31226 vulnerability.

Vendors Products
Lizardbyte
  • Sunshine
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-31226.

URL Resource
https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a cve-icon cve-icon cve-icon
https://github.com/LizardByte/Sunshine/pull/2379 cve-icon cve-icon cve-icon
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact