{"id":"CVE-2024-45407","summary":"Sunshine has incorrect state management during pairing process may lead to incorrectly authorized client","details":"Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.","aliases":["GHSA-jqph-8cp5-g874"],"modified":"2026-04-12T10:53:10.549190Z","published":"2024-09-10T15:13:20.126Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45407.json","cwe_ids":["CWE-300"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45407.json"},{"type":"ADVISORY","url":"https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45407"},{"type":"FIX","url":"https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"},{"type":"FIX","url":"https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lizardbyte/sunshine","events":[{"introduced":"0"},{"fixed":"5fcd07ecb1428bfe245ad6fa349aead476c7e772"}]},{"type":"GIT","repo":"https://github.com/lizardbyte/sunshine","events":[{"introduced":"0"},{"fixed":"fd7e68457a134102d1b30af5796c79f2aa623224"}]}],"versions":["v0.1.0","v0.1.1","v0.10.0","v0.11.0","v0.11.1","v0.2.0","v0.3.0","v0.3.1","v0.4.0","v0.8.0","v0.9.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T10:53:10Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2024-05-27"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45407.json","vanir_signatures":[{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"79212269734468993429517332230331363879","length":90},"target":{"file":"src/nvhttp.cpp","function":"erase_all_clients"},"id":"CVE-2024-45407-08decf6e"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"39979495083684816289192702096810089678","length":606},"target":{"file":"src/confighttp.cpp","function":"savePin"},"id":"CVE-2024-45407-1b773d93"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224","digest":{"threshold":0.9,"line_hashes":["297994990129914146086865235826302485807","155642314524837416649628778671608706042","211759882194810430555607044120655843718","335474929588838666741707809880695310807","319980826222896484009657648763298792617","107390337220611202167283524850170276303","61360923311366211716078072802682864228","14969831525804913481633909442443946772","203938838348768238214466153808418258205","200675060318399037628237110487153847998","222298737570297262626752279973005835443","135030443269793434679226181418605158791","187997119310352691254401565683580840172","228163349578517600430606529249218136546","222298737570297262626752279973005835443","21170900619538959339596686857135579674","73034439076693063747232759546811585840","64486108934936868153528771543456990151","38085982149378376114920136372917771108","45871337092401034546383337689716399428","9864270206500668803625129888670893651","329197142964702543482099611857975211442","100400818484696874598945709005066697836","49064892246924159849647658594468049043","109660096863853336493376004598964859726","312261165638509268866393113630623099104","120887764482934267744152669253991833031","339385930616561504602552934737950673032","174813199160898327275773036089672628727","183254063769236355334714426820198891092","66256062643397696059271686862746853099","95580415635651277577296969496167679413","198510631898527540565528777749735090743","132344773118243675520334323227049339435","6024800265295294899910489901306749720","168713464873121384011264895071748449515","265256838363221748293537679530765670728","210688582540632355644059435254515956339","301567060969242947825174474934716207830","322760373135883631790333205700665089256","133259985350070199150668438364565709533","298121729915845844460497323315349122053","214738486619016447508119067386261746875","229923292684358453301705173365340095159","319875345607271598464643144575963664498","207533076112943695191987944036404398373","76863627097633415375916126952732552839","14049440430808544001941581451377053134","9530169316282012381897340918628153358","178796665509005914198951222381352395216","242740609155663917844144605501420855885","16125677597609642159484746499416245799","211917971423490152762963161182629087181","134790019599827985855465277875556155783","295132569349322808535693978103913690186","40993688140176257317632852153744412001","227225985748791797541841316768239122152","141376522823171945971456710536434958728","10168865416334011011533922326945426779","133979392709935737048197898853280582109","32000702486189381524676443213913787391","299313248359046635822356888097019302606"]},"target":{"file":"src/nvhttp.cpp"},"id":"CVE-2024-45407-2cb1fc98"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"100473803209564763223023129153623271624","length":2596},"target":{"file":"src/confighttp.cpp","function":"start"},"id":"CVE-2024-45407-3165c125"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"threshold":0.9,"line_hashes":["199404061375479045682802808926558747202","56002591324737040592928709433719606339","196153095242715604828659509493595805230","212297460980625633524140395679538314639","98845817816723349459309724675312215600","76629479879114293039652903835740903586","67093990372281545358105119183418831829","136324280022971754174178115867416821377","235595662040589535121516113445922556258","172952865184634195629354269833740085395","103498504558674695590936231023539135406","72125188165471922315628350932593552690","114253681580649241706916810578969513137","211554342638224549806561183520307821184","194472104415512789825812371836410692268","65400920364851888528775732942618460795","322825557053178447013490999732418402870","314187509424244913310506861087522812614","273761721948110160968575255922072331237","162206873368260959192125304112402560041","192392926579003350420325317273490278180","159260775721184225268898922268183756063","313318977968546296476944328986743316958","297358653463189913780331401197901222369","333750917451068726375570270029636567095","282352565926858650953764372694953301147","257782680354835660027202941609432585517","74494311658538430098517566555986672327","63743698081868463128407421671067462372","206717496704242393436593606842394982223","78624256228427709615985764263037550709","123446489744714493187889142897841217507","283888792770854643524578823840742100103","96351604532593009251317516106115867208","138301489562115263177329307983224118915","87813667101240703470408954244374605651","51644183992157815754621187042840291754","282186758163769648548161801463612213363","233567172924519983159725467929895418987","88733683113752775004855548527986008680","247706739921817346474842395041231678698","178106216374271404941554144354714192547","239361631158024577517791656729091344231","57778351642475584244711680477377645794","329903471590493668827016036120031904383","240061008265262049897928284130351151123","111708766549982062342636204382193101079","109560129914515142937291767576097424009","49064892246924159849647658594468049043","109660096863853336493376004598964859726","67051978220777152994111894604546719735","171107540463890140649493095881683028029","67036639437413221873735933683160500460","143116142786982105377616756093760232492","308703975030323722055055995057956432208","216753637753721281806835773530487171201","121848307316608183958197771710644796181","133780690605551364074850279305312034601","90217791444646699192645624922264609677","16111821078872827010629949575911840933","192474388337779315895630892999964677535","210379105209474829666852364701532398280","143717700548335413277767893999386386843","261695000644696281182556832981264055382","321761338508106312309023778530179853537","50112805390366484655653201750668767561","182949501657805021251368644710893728772","173151217580604189313948079502756910561","320582012192093190757203745549706847145","279009650406581597650522881143391727054","241078912677464114309654740664943135416","147736417631002221782512909509985384314","285900015264750066782726521807409681748","22663725130930005402883491542495570060","187454732781911843426497474266850918208","37160833241310122390733202440294700233","57724645921354545986819998136943353797","329592675722727352086824326591383469137","76071314612862343988353636447331046056","151032415618363329153845601843377942438","29123465314210305743201231032869011366","140735283107968078002305483901918588024","78448761496726033314037558600892302391","213854922846858838315892695396249928895","159954202103777506778132383144300285864","266990883857759506578118471571940224867","175439150571029938752918242722861244957","234734716437092894771298079355225419692","320758142167686400978096375722603152341"]},"target":{"file":"src/nvhttp.cpp"},"id":"CVE-2024-45407-4c220073"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"10675168464520664504414795452393915368","length":1078},"target":{"file":"src/nvhttp.cpp","function":"pin"},"id":"CVE-2024-45407-53c4fb0c"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"155958258128883064485450453349150773632","length":1093},"target":{"file":"src/nvhttp.cpp","function":"load_state"},"id":"CVE-2024-45407-67b8d0d7"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224","digest":{"function_hash":"54601167248108653359877116120606984832","length":1956},"target":{"file":"src/nvhttp.cpp","function":"load_state"},"id":"CVE-2024-45407-687da4ad"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"168696474100098116689246078587142325490","length":996},"target":{"file":"src/nvhttp.cpp","function":"save_state"},"id":"CVE-2024-45407-6e2ef22e"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"201562697526269715600032624518811251778","length":397},"target":{"file":"src/nvhttp.cpp","function":"update_id_client"},"id":"CVE-2024-45407-6eaa729d"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"threshold":0.9,"line_hashes":["93429542734657642811498959152565998040","287709565333490370245524317442369225276","205723269687495662171463420052029413522","123105078412497535046709717516487423471","297766766811435823850396733067208753885","92146375694371175723707651423347904640","98696966971817787355143148931935812511","304776308766107659535112021184890154061","23970871323682867699435583373551334625","332305565311464449256247539870261964464","330261405678878524983991742160699103519","155340648343842651022800559831317581751"]},"target":{"file":"src/confighttp.cpp"},"id":"CVE-2024-45407-953a2b6f"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224","digest":{"function_hash":"164425822492757315477668116492942657034","length":511},"target":{"file":"src/nvhttp.cpp","function":"unpair_client"},"id":"CVE-2024-45407-a71f4b1e"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"threshold":0.9,"line_hashes":["274073375456879715117497265039427097748","94838090190118847675022324990242090868","307257717247546167866636955218194274406","176775897823089603951879246304873320632","129459628789966305261021270537560469170","89342820258783097202996960987305154795"]},"target":{"file":"src/nvhttp.h"},"id":"CVE-2024-45407-cc2d8ef4"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"3107113781894382062760595783490520919","length":4071},"target":{"file":"src/nvhttp.cpp","function":"start"},"id":"CVE-2024-45407-d76bfe2c"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224","digest":{"function_hash":"139248540738958622465940202085565156847","length":1295},"target":{"file":"src/nvhttp.cpp","function":"pin"},"id":"CVE-2024-45407-eae9bed7"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224","digest":{"function_hash":"117852098476273084977797507364316403419","length":361},"target":{"file":"src/nvhttp.cpp","function":"update_id_client"},"id":"CVE-2024-45407-ebd42361"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/lizardbyte/sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772","digest":{"function_hash":"135293395288776294721080060484457942332","length":320},"target":{"file":"src/confighttp.cpp","function":"unpairAll"},"id":"CVE-2024-45407-fc97a082"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}