Search criteria
10 vulnerabilities by LizardByte
CVE-2025-54081 (GCVE-0-2025-54081)
Vulnerability from cvelistv5 – Published: 2025-09-23 18:18 – Updated: 2025-09-23 19:17
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
Severity ?
6.7 (Medium)
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
< 2025.923.33222
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54081",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:15:27.573785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:53.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.923.33222"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:18:39.474Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824"
},
{
"name": "https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222"
}
],
"source": {
"advisory": "GHSA-6p7j-5v8v-w45h",
"discovery": "UNKNOWN"
},
"title": "SunshineService Has Unquoted Service Path That Allows Local SYSTEM Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54081",
"datePublished": "2025-09-23T18:18:39.474Z",
"dateReserved": "2025-07-16T13:22:18.207Z",
"dateUpdated": "2025-09-23T19:17:53.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10199 (GCVE-0-2025-10199)
Vulnerability from cvelistv5 – Published: 2025-09-09 17:30 – Updated: 2025-11-03 18:08
VLAI?
Summary
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
Severity ?
7.8 (High)
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine for Windows |
Affected:
v2025.122.141614
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:16:49.041628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:43:59.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:08:25.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/974249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sunshine for Windows",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "v2025.122.141614"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:30:50.158Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A local privilege escalation vulnerability exists in LizardBytes\u0027 Sunshine for Windows",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10199"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10199",
"datePublished": "2025-09-09T17:30:19.958Z",
"dateReserved": "2025-09-09T17:28:39.083Z",
"dateUpdated": "2025-11-03T18:08:25.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10198 (GCVE-0-2025-10198)
Vulnerability from cvelistv5 – Published: 2025-09-09 17:28 – Updated: 2025-11-03 18:08
VLAI?
Summary
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine for Windows |
Affected:
v2025.122.141614
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:17:00.097504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:44:06.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:08:24.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/974249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sunshine for Windows",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "v2025.122.141614"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:28:14.696Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/LizardByte/Sunshine/pull/3971"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LizardBytes Sunshine for Windows contains a DLL search-order hijacking vulnerability",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10198"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10198",
"datePublished": "2025-09-09T17:28:14.696Z",
"dateReserved": "2025-09-09T17:25:14.481Z",
"dateUpdated": "2025-11-03T18:08:24.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53095 (GCVE-0-2025-53095)
Vulnerability from cvelistv5 – Published: 2025-07-01 01:33 – Updated: 2025-07-01 13:21
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.
Severity ?
9.7 (Critical)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
< 2025.628.4510
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T13:21:05.692690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T13:21:15.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.628.4510"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the \"Command Preparations\" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T01:33:22.331Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0"
}
],
"source": {
"advisory": "GHSA-39hj-fxvw-758m",
"discovery": "UNKNOWN"
},
"title": "Sunshine application-wide CSRF in the UI leads to command injection as Administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53095",
"datePublished": "2025-07-01T01:33:22.331Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-07-01T13:21:15.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53096 (GCVE-0-2025-53096)
Vulnerability from cvelistv5 – Published: 2025-07-01 01:33 – Updated: 2025-07-01 13:21
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.
Severity ?
5.4 (Medium)
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
< 2025.628.4510
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T13:21:36.325765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T13:21:41.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.628.4510"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T01:33:01.336Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc"
}
],
"source": {
"advisory": "GHSA-x97g-h2vp-g2c5",
"discovery": "UNKNOWN"
},
"title": "Sunshine clickjacking in the UI leads to unauthorized actions being performed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53096",
"datePublished": "2025-07-01T01:33:01.336Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-07-01T13:21:41.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51738 (GCVE-0-2024-51738)
Vulnerability from cvelistv5 – Published: 2025-01-20 15:26 – Updated: 2025-01-21 14:59
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
< 2025.118.151840
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T14:59:20.927312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T14:59:35.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.118.151840"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine\u0027s pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-20T15:26:03.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd"
}
],
"source": {
"advisory": "GHSA-3hrw-xv8h-9499",
"discovery": "UNKNOWN"
},
"title": "Sunshine improperly enforces pairing protocol request order"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51738",
"datePublished": "2025-01-20T15:26:03.955Z",
"dateReserved": "2024-10-31T14:12:45.788Z",
"dateUpdated": "2025-01-21T14:59:35.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45407 (GCVE-0-2024-45407)
Vulnerability from cvelistv5 – Published: 2024-09-10 15:13 – Updated: 2024-09-10 16:12
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
Severity ?
6.5 (Medium)
CWE
- CWE-300 - Channel Accessible by Non-Endpoint
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
>= 5fcd07ecb1428bfe245ad6fa349aead476c7e772, < fd7e68457a134102d1b30af5796c79f2aa623224
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:12:07.341939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T16:12:18.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 5fcd07ecb1428bfe245ad6fa349aead476c7e772, \u003c fd7e68457a134102d1b30af5796c79f2aa623224"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-300",
"description": "CWE-300: Channel Accessible by Non-Endpoint",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:13:20.126Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
}
],
"source": {
"advisory": "GHSA-jqph-8cp5-g874",
"discovery": "UNKNOWN"
},
"title": "Sunshine has incorrect state management during pairing process may lead to incorrectly authorized client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45407",
"datePublished": "2024-09-10T15:13:20.126Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-09-10T16:12:18.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31226 (GCVE-0-2024-31226)
Vulnerability from cvelistv5 – Published: 2024-05-16 18:12 – Updated: 2024-08-15 14:28
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
Severity ?
4.9 (Medium)
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
>= 0.17.0, < 0.23.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2379",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2379"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sunshine",
"vendor": "lizardbyte",
"versions": [
{
"lessThan": "0.23",
"status": "affected",
"version": "0.17",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T20:37:55.439986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T14:28:39.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.17.0, \u003c 0.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\\Program.exe`, `C:\\Program.bat`, or `C:\\Program.cmd` on the user\u0027s computer. This attack vector isn\u0027t exploitable unless the user has manually loosened ACLs on the system drive. If the user\u0027s system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T18:12:57.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2379",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2379"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a"
}
],
"source": {
"advisory": "GHSA-r3rw-mx4q-7vfp",
"discovery": "UNKNOWN"
},
"title": "Sunshine\u0027s unquoted executable path could lead to hijacked execution flow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31226",
"datePublished": "2024-05-16T18:12:57.081Z",
"dateReserved": "2024-03-29T14:16:31.902Z",
"dateUpdated": "2024-08-15T14:28:39.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31221 (GCVE-0-2024-31221)
Vulnerability from cvelistv5 – Published: 2024-04-08 15:10 – Updated: 2024-09-03 18:00
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability.
Severity ?
5.9 (Medium)
CWE
- CWE-384 - Session Fixation
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
>= 0.10.0, < 0.23.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:05.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"
},
{
"name": "https://github.com/LizardByte/Sunshine/issues/2305",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/issues/2305"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2365",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2365"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:59:28.747581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:00:09.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.10.0, \u003c 0.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-08T15:10:17.071Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"
},
{
"name": "https://github.com/LizardByte/Sunshine/issues/2305",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/issues/2305"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2365",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2365"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"
}
],
"source": {
"advisory": "GHSA-v8gw-jw28-v55m",
"discovery": "UNKNOWN"
},
"title": "Clients removed during unpairing process may regain access if Sunshine was not restarted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31221",
"datePublished": "2024-04-08T15:10:17.071Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-09-03T18:00:09.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31220 (GCVE-0-2024-31220)
Vulnerability from cvelistv5 – Published: 2024-04-05 14:59 – Updated: 2024-08-02 01:46
VLAI?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.
Severity ?
7.3 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Affected:
>= 0.16.0, < 0.18.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T19:25:09.102631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:28.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc"
},
{
"name": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.16.0, \u003c 0.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T14:59:52.662Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc"
},
{
"name": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0"
}
],
"source": {
"advisory": "GHSA-6rg7-7m3w-w5wc",
"discovery": "UNKNOWN"
},
"title": "Sunshine vulnerable to remote unauthenticated arbitrary file read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31220",
"datePublished": "2024-04-05T14:59:52.662Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-08-02T01:46:04.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}