Lucene search

[email protected]NVD:CVE-2024-31220

HistoryApr 05, 2024 - 3:15 p.m.

CVE-2024-31220

2024-04-0515:15:08

CWE-22

[email protected]

web.nvd.nist.gov

cve-2024-31220

moonlight

path traversal

remote read

authentication

http/s request

user interface

firewall

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

10.6%

JSON

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the node_modules endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.

References

github.com/LizardByte/Sunshine/releases/tag/v0.18.0

github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for NVD:CVE-2024-31220

cvelist1 cve1