CVE-2024-31226

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-31226
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31226.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-31226
Related
  • GHSA-r3rw-mx4q-7vfp
Published
2024-05-16T19:15:49Z
Modified
2025-01-08T15:59:31.061953Z
Summary
[none]
Details

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:. Require that all executables be placed in write-protected directories.

References

Affected packages

Git / github.com/lizardbyte/sunshine

Affected ranges

Type
GIT
Repo
https://github.com/lizardbyte/sunshine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

0.*

0.5.0

Other

nightly-dev

v0.*

v0.1.0
v0.1.1
v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.6.0
v0.7.0
v0.7.1
v0.7.7
v0.8.0
v0.9.0