Skip to content

Clients removed during unpairing process may regain access if Sunshine was not restarted

Moderate
ReenigneArcher published GHSA-v8gw-jw28-v55m Apr 7, 2024

Package

sunshine

Affected versions

>= 0.10.0, < 0.23.0

Patched versions

v0.23.0

Description

Impact

After unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Once Sunshine is restarted only the clients that were re-paired would have access, as intended.

Patches

v0.23.0

Workarounds

Restarting Sunshine after unpairing all devices prevents the vulnerability.

References

Severity

Moderate
4.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-31221

Weaknesses

No CWEs

Credits