CVE-2024-31221 - Vulnerability Details - OpenCVE

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lizardbyte	Sunshine

Configuration 1 [-]

cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e
https://github.com/LizardByte/Sunshine/issues/2305
https://github.com/LizardByte/Sunshine/pull/2365
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m

History

Thu, 11 Sep 2025 21:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:lizardbyte:sunshine::::::::

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-08T15:10:17.071Z

Updated: 2024-09-03T18:00:09.752Z

Reserved: 2024-03-29T14:16:31.901Z

Link: CVE-2024-31221

Vulnrichment

Updated: 2024-08-02T01:46:05.096Z

NVD

Status : Analyzed

Published: 2024-04-08T15:15:08.207

Modified: 2025-09-11T21:41:40.740

Link: CVE-2024-31221

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.901Z", "datePublished": "2024-04-08T15:10:17.071Z", "dateUpdated": "2024-09-03T18:00:09.752Z"}, "containers": {"cna": {"title": "Clients removed during unpairing process may regain access if Sunshine was not restarted", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"}, {"name": "https://github.com/LizardByte/Sunshine/issues/2305", "tags": ["x_refsource_MISC"], "url": "https://github.com/LizardByte/Sunshine/issues/2305"}, {"name": "https://github.com/LizardByte/Sunshine/pull/2365", "tags": ["x_refsource_MISC"], "url": "https://github.com/LizardByte/Sunshine/pull/2365"}, {"name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e", "tags": ["x_refsource_MISC"], "url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"}], "affected": [{"vendor": "LizardByte", "product": "Sunshine", "versions": [{"version": ">= 0.10.0, < 0.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-08T15:10:17.071Z"}, "descriptions": [{"lang": "en", "value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability."}], "source": {"advisory": "GHSA-v8gw-jw28-v55m", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:46:05.096Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"}, {"name": "https://github.com/LizardByte/Sunshine/issues/2305", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/LizardByte/Sunshine/issues/2305"}, {"name": "https://github.com/LizardByte/Sunshine/pull/2365", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/LizardByte/Sunshine/pull/2365"}, {"name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T17:59:28.747581Z", "id": "CVE-2024-31221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T18:00:09.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m", "name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/LizardByte/Sunshine/issues/2305", "name": "https://github.com/LizardByte/Sunshine/issues/2305", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/LizardByte/Sunshine/pull/2365", "name": "https://github.com/LizardByte/Sunshine/pull/2365", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e", "name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:46:05.096Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-07T17:59:28.747581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T18:00:05.441Z"}}], "cna": {"title": "Clients removed during unpairing process may regain access if Sunshine was not restarted", "source": {"advisory": "GHSA-v8gw-jw28-v55m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LizardByte", "product": "Sunshine", "versions": [{"status": "affected", "version": ">= 0.10.0, < 0.23.0"}]}], "references": [{"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m", "name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LizardByte/Sunshine/issues/2305", "name": "https://github.com/LizardByte/Sunshine/issues/2305", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LizardByte/Sunshine/pull/2365", "name": "https://github.com/LizardByte/Sunshine/pull/2365", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e", "name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-08T15:10:17.071Z"}}}, "cveMetadata": {"cveId": "CVE-2024-31221", "state": "PUBLISHED", "dateUpdated": "2024-09-03T18:00:09.752Z", "dateReserved": "2024-03-29T14:16:31.901Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-08T15:10:17.071Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4B46EB4-E7D7-4700-90B0-99FD69779A61", "versionEndExcluding": "0.23.0", "versionStartIncluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability."}, {"lang": "es", "value": "Sunshine es un anfitri\u00f3n de transmisi\u00f3n de juegos autohospedado para Moonlight. A partir de la versi\u00f3n 0.10.0 y antes de la versi\u00f3n 0.23.0, despu\u00e9s de desvincular todos los dispositivos en la interfaz de usuario web y luego vincular solo un dispositivo, todos los dispositivos anteriores se vincular\u00e1n temporalmente. La versi\u00f3n 0.23.0 contiene un parche para el problema. Como workaround, reiniciar Sunshine despu\u00e9s de desvincular todos los dispositivos previene la vulnerabilidad."}], "id": "CVE-2024-31221", "lastModified": "2025-09-11T21:41:40.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-08T15:15:08.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/LizardByte/Sunshine/issues/2305"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/LizardByte/Sunshine/pull/2365"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/LizardByte/Sunshine/issues/2305"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/LizardByte/Sunshine/pull/2365"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Secondary"}]}