CVE-2024-45407
- Source
- https://cve.org/CVERecord?id=CVE-2024-45407
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45407.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-45407
- Aliases
-
- GHSA-jqph-8cp5-g874
- Published
- 2024-09-10T15:13:20.126Z
- Modified
- 2026-04-12T10:53:10.549190Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Sunshine has incorrect state management during pairing process may lead to incorrectly authorized client
- Details
-
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-300" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45407.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45407.json
- https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874
- https://nvd.nist.gov/vuln/detail/CVE-2024-45407
- https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772
- https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224
Affected packages
Git / github.com/lizardbyte/sunshine
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lizardbyte/sunshine
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/lizardbyte/sunshine
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.1.1
v0.10.0
v0.11.0
v0.11.1
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.8.0
v0.9.0
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2024-45407-08decf6e",
"deprecated": false,
"digest": {
"length": 90.0,
"function_hash": "79212269734468993429517332230331363879"
},
"signature_version": "v1",
"target": {
"function": "erase_all_clients",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-1b773d93",
"deprecated": false,
"digest": {
"length": 606.0,
"function_hash": "39979495083684816289192702096810089678"
},
"signature_version": "v1",
"target": {
"function": "savePin",
"file": "src/confighttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Line",
"id": "CVE-2024-45407-2cb1fc98",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"297994990129914146086865235826302485807",
"155642314524837416649628778671608706042",
"211759882194810430555607044120655843718",
"335474929588838666741707809880695310807",
"319980826222896484009657648763298792617",
"107390337220611202167283524850170276303",
"61360923311366211716078072802682864228",
"14969831525804913481633909442443946772",
"203938838348768238214466153808418258205",
"200675060318399037628237110487153847998",
"222298737570297262626752279973005835443",
"135030443269793434679226181418605158791",
"187997119310352691254401565683580840172",
"228163349578517600430606529249218136546",
"222298737570297262626752279973005835443",
"21170900619538959339596686857135579674",
"73034439076693063747232759546811585840",
"64486108934936868153528771543456990151",
"38085982149378376114920136372917771108",
"45871337092401034546383337689716399428",
"9864270206500668803625129888670893651",
"329197142964702543482099611857975211442",
"100400818484696874598945709005066697836",
"49064892246924159849647658594468049043",
"109660096863853336493376004598964859726",
"312261165638509268866393113630623099104",
"120887764482934267744152669253991833031",
"339385930616561504602552934737950673032",
"174813199160898327275773036089672628727",
"183254063769236355334714426820198891092",
"66256062643397696059271686862746853099",
"95580415635651277577296969496167679413",
"198510631898527540565528777749735090743",
"132344773118243675520334323227049339435",
"6024800265295294899910489901306749720",
"168713464873121384011264895071748449515",
"265256838363221748293537679530765670728",
"210688582540632355644059435254515956339",
"301567060969242947825174474934716207830",
"322760373135883631790333205700665089256",
"133259985350070199150668438364565709533",
"298121729915845844460497323315349122053",
"214738486619016447508119067386261746875",
"229923292684358453301705173365340095159",
"319875345607271598464643144575963664498",
"207533076112943695191987944036404398373",
"76863627097633415375916126952732552839",
"14049440430808544001941581451377053134",
"9530169316282012381897340918628153358",
"178796665509005914198951222381352395216",
"242740609155663917844144605501420855885",
"16125677597609642159484746499416245799",
"211917971423490152762963161182629087181",
"134790019599827985855465277875556155783",
"295132569349322808535693978103913690186",
"40993688140176257317632852153744412001",
"227225985748791797541841316768239122152",
"141376522823171945971456710536434958728",
"10168865416334011011533922326945426779",
"133979392709935737048197898853280582109",
"32000702486189381524676443213913787391",
"299313248359046635822356888097019302606"
]
},
"signature_version": "v1",
"target": {
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-3165c125",
"deprecated": false,
"digest": {
"length": 2596.0,
"function_hash": "100473803209564763223023129153623271624"
},
"signature_version": "v1",
"target": {
"function": "start",
"file": "src/confighttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Line",
"id": "CVE-2024-45407-4c220073",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"199404061375479045682802808926558747202",
"56002591324737040592928709433719606339",
"196153095242715604828659509493595805230",
"212297460980625633524140395679538314639",
"98845817816723349459309724675312215600",
"76629479879114293039652903835740903586",
"67093990372281545358105119183418831829",
"136324280022971754174178115867416821377",
"235595662040589535121516113445922556258",
"172952865184634195629354269833740085395",
"103498504558674695590936231023539135406",
"72125188165471922315628350932593552690",
"114253681580649241706916810578969513137",
"211554342638224549806561183520307821184",
"194472104415512789825812371836410692268",
"65400920364851888528775732942618460795",
"322825557053178447013490999732418402870",
"314187509424244913310506861087522812614",
"273761721948110160968575255922072331237",
"162206873368260959192125304112402560041",
"192392926579003350420325317273490278180",
"159260775721184225268898922268183756063",
"313318977968546296476944328986743316958",
"297358653463189913780331401197901222369",
"333750917451068726375570270029636567095",
"282352565926858650953764372694953301147",
"257782680354835660027202941609432585517",
"74494311658538430098517566555986672327",
"63743698081868463128407421671067462372",
"206717496704242393436593606842394982223",
"78624256228427709615985764263037550709",
"123446489744714493187889142897841217507",
"283888792770854643524578823840742100103",
"96351604532593009251317516106115867208",
"138301489562115263177329307983224118915",
"87813667101240703470408954244374605651",
"51644183992157815754621187042840291754",
"282186758163769648548161801463612213363",
"233567172924519983159725467929895418987",
"88733683113752775004855548527986008680",
"247706739921817346474842395041231678698",
"178106216374271404941554144354714192547",
"239361631158024577517791656729091344231",
"57778351642475584244711680477377645794",
"329903471590493668827016036120031904383",
"240061008265262049897928284130351151123",
"111708766549982062342636204382193101079",
"109560129914515142937291767576097424009",
"49064892246924159849647658594468049043",
"109660096863853336493376004598964859726",
"67051978220777152994111894604546719735",
"171107540463890140649493095881683028029",
"67036639437413221873735933683160500460",
"143116142786982105377616756093760232492",
"308703975030323722055055995057956432208",
"216753637753721281806835773530487171201",
"121848307316608183958197771710644796181",
"133780690605551364074850279305312034601",
"90217791444646699192645624922264609677",
"16111821078872827010629949575911840933",
"192474388337779315895630892999964677535",
"210379105209474829666852364701532398280",
"143717700548335413277767893999386386843",
"261695000644696281182556832981264055382",
"321761338508106312309023778530179853537",
"50112805390366484655653201750668767561",
"182949501657805021251368644710893728772",
"173151217580604189313948079502756910561",
"320582012192093190757203745549706847145",
"279009650406581597650522881143391727054",
"241078912677464114309654740664943135416",
"147736417631002221782512909509985384314",
"285900015264750066782726521807409681748",
"22663725130930005402883491542495570060",
"187454732781911843426497474266850918208",
"37160833241310122390733202440294700233",
"57724645921354545986819998136943353797",
"329592675722727352086824326591383469137",
"76071314612862343988353636447331046056",
"151032415618363329153845601843377942438",
"29123465314210305743201231032869011366",
"140735283107968078002305483901918588024",
"78448761496726033314037558600892302391",
"213854922846858838315892695396249928895",
"159954202103777506778132383144300285864",
"266990883857759506578118471571940224867",
"175439150571029938752918242722861244957",
"234734716437092894771298079355225419692",
"320758142167686400978096375722603152341"
]
},
"signature_version": "v1",
"target": {
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-53c4fb0c",
"deprecated": false,
"digest": {
"length": 1078.0,
"function_hash": "10675168464520664504414795452393915368"
},
"signature_version": "v1",
"target": {
"function": "pin",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-67b8d0d7",
"deprecated": false,
"digest": {
"length": 1093.0,
"function_hash": "155958258128883064485450453349150773632"
},
"signature_version": "v1",
"target": {
"function": "load_state",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-687da4ad",
"deprecated": false,
"digest": {
"length": 1956.0,
"function_hash": "54601167248108653359877116120606984832"
},
"signature_version": "v1",
"target": {
"function": "load_state",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-6e2ef22e",
"deprecated": false,
"digest": {
"length": 996.0,
"function_hash": "168696474100098116689246078587142325490"
},
"signature_version": "v1",
"target": {
"function": "save_state",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-6eaa729d",
"deprecated": false,
"digest": {
"length": 397.0,
"function_hash": "201562697526269715600032624518811251778"
},
"signature_version": "v1",
"target": {
"function": "update_id_client",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Line",
"id": "CVE-2024-45407-953a2b6f",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"93429542734657642811498959152565998040",
"287709565333490370245524317442369225276",
"205723269687495662171463420052029413522",
"123105078412497535046709717516487423471",
"297766766811435823850396733067208753885",
"92146375694371175723707651423347904640",
"98696966971817787355143148931935812511",
"304776308766107659535112021184890154061",
"23970871323682867699435583373551334625",
"332305565311464449256247539870261964464",
"330261405678878524983991742160699103519",
"155340648343842651022800559831317581751"
]
},
"signature_version": "v1",
"target": {
"file": "src/confighttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-a71f4b1e",
"deprecated": false,
"digest": {
"length": 511.0,
"function_hash": "164425822492757315477668116492942657034"
},
"signature_version": "v1",
"target": {
"function": "unpair_client",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
},
{
"signature_type": "Line",
"id": "CVE-2024-45407-cc2d8ef4",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"274073375456879715117497265039427097748",
"94838090190118847675022324990242090868",
"307257717247546167866636955218194274406",
"176775897823089603951879246304873320632",
"129459628789966305261021270537560469170",
"89342820258783097202996960987305154795"
]
},
"signature_version": "v1",
"target": {
"file": "src/nvhttp.h"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-d76bfe2c",
"deprecated": false,
"digest": {
"length": 4071.0,
"function_hash": "3107113781894382062760595783490520919"
},
"signature_version": "v1",
"target": {
"function": "start",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-eae9bed7",
"deprecated": false,
"digest": {
"length": 1295.0,
"function_hash": "139248540738958622465940202085565156847"
},
"signature_version": "v1",
"target": {
"function": "pin",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-ebd42361",
"deprecated": false,
"digest": {
"length": 361.0,
"function_hash": "117852098476273084977797507364316403419"
},
"signature_version": "v1",
"target": {
"function": "update_id_client",
"file": "src/nvhttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
},
{
"signature_type": "Function",
"id": "CVE-2024-45407-fc97a082",
"deprecated": false,
"digest": {
"length": 320.0,
"function_hash": "135293395288776294721080060484457942332"
},
"signature_version": "v1",
"target": {
"function": "unpairAll",
"file": "src/confighttp.cpp"
},
"source": "https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45407.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2024-05-27"
}
]
}
]
vanir_signatures_modified
"2026-04-12T10:53:10Z"