// For flags

CVE-2023-42799

Buffer overflow due to use of `strcpy` in `parseUrlAddrFromRtspUrlString`

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 due to unmitigated usage of unsafe C functions and improper bounds checking. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client, or achieve remote code execution (RCE) on the client (with insufficient exploit mitigations or if mitigations can be bypassed). The bug was addressed in commit 02b7742f4d19631024bd766bd2bb76715780004e.

Moonlight-common-c contiene el código principal del cliente GameStream compartido entre los clientes Moonlight. Moonlight-common-c es vulnerable al desbordamiento del búfer a partir de el commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 debido al uso absoluto de funciones C inseguras y a una verificación de los límites inadecuada. Un servidor de transmisión de juegos malicioso podría aprovechar una vulnerabilidad de desbordamiento del búfer para bloquear un cliente de luz nocturna o lograr la ejecución remota de código (RCE) en el cliente (con mitigaciones de explotación insuficientes o si se pueden evitar las mitigaciones). El error se solucionó en el commit 02b7742f4d19631024bd766bd2bb76715780004e.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-09-14 CVE Reserved
  • 2023-12-14 CVE Published
  • 2024-10-08 CVE Updated
  • 2024-10-08 First Exploit
  • 2024-11-13 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight-common-c
Search vendor "Moonlight-stream" for product "Moonlight-common-c"
>= 2022-11-04 < 2023-10-06
Search vendor "Moonlight-stream" for product "Moonlight-common-c" and version " >= 2022-11-04 < 2023-10-06"
-
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight
Search vendor "Moonlight-stream" for product "Moonlight"
>= 8.4.0 <= 8.5.0
Search vendor "Moonlight-stream" for product "Moonlight" and version " >= 8.4.0 <= 8.5.0"
iphone_os
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight
Search vendor "Moonlight-stream" for product "Moonlight"
>= 8.4.0 <= 8.5.0
Search vendor "Moonlight-stream" for product "Moonlight" and version " >= 8.4.0 <= 8.5.0"
tvos
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight
Search vendor "Moonlight-stream" for product "Moonlight"
>= 10.10 <= 11.0
Search vendor "Moonlight-stream" for product "Moonlight" and version " >= 10.10 <= 11.0"
android
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight
Search vendor "Moonlight-stream" for product "Moonlight"
0.10.22
Search vendor "Moonlight-stream" for product "Moonlight" and version "0.10.22"
chrome
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight Embedded
Search vendor "Moonlight-stream" for product "Moonlight Embedded"
2.6.0
Search vendor "Moonlight-stream" for product "Moonlight Embedded" and version "2.6.0"
-
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight Xbox
Search vendor "Moonlight-stream" for product "Moonlight Xbox"
>= 1.12.0 <= 1.14.40
Search vendor "Moonlight-stream" for product "Moonlight Xbox" and version " >= 1.12.0 <= 1.14.40"
-
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight Tv
Search vendor "Moonlight-stream" for product "Moonlight Tv"
>= 1.5.4 <= 1.5.27
Search vendor "Moonlight-stream" for product "Moonlight Tv" and version " >= 1.5.4 <= 1.5.27"
-
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight Switch
Search vendor "Moonlight-stream" for product "Moonlight Switch"
>= 0.13 <= 0.13.3
Search vendor "Moonlight-stream" for product "Moonlight Switch" and version " >= 0.13 <= 0.13.3"
-
Affected
Moonlight-stream
Search vendor "Moonlight-stream"
Moonlight Vita
Search vendor "Moonlight-stream" for product "Moonlight Vita"
>= 0.9.2 <= 0.9.3
Search vendor "Moonlight-stream" for product "Moonlight Vita" and version " >= 0.9.2 <= 0.9.3"
-
Affected