U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-31226

Change History

New CVE Received by NIST 5/16/2024 3:15:49 PM

Action Type Old Value New Value
Added CVSS V3.1

GitHub, Inc. AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
Added CWE

GitHub, Inc. CWE-428
Added Description

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
Added Reference

GitHub, Inc. https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a [No types assigned]
Added Reference

GitHub, Inc. https://github.com/LizardByte/Sunshine/pull/2379 [No types assigned]
Added Reference

GitHub, Inc. https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp [No types assigned]