Vulnerability Description
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lizardbyte | Sunshine | 2024-05-27 |
Related Weaknesses (CWE)
References
- https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476Patch
- https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aaPatch
- https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874ExploitVendor Advisory
FAQ
What is CVE-2024-45407?
CVE-2024-45407 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing au...
How severe is CVE-2024-45407?
CVE-2024-45407 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-45407?
Check the references section above for vendor advisories and patch information. Affected products include: Lizardbyte Sunshine.