CVE-2024-45407 MEDIUM

CVE-2024-45407: Sunshine has incorrect state management during pairing process may lead to incorrectly authorized client

Vendor Lizardbyte
Product Sunshine
Weakness CWE-300
Published September 10, 2024
Last update September 10, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.

Key dates

02Disclosure timeline

September 10, 2024 CVE published
September 10, 2024 Record updated