CVE-2024-41799 (GCVE-0-2024-41799)
Vulnerability from cvelistv5
Published
2024-07-29 15:00
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance's `Configuration` directory. This problem is fixed in versions 6.8.0 and above.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tgstation | tgstation-server |
Version: >= 4.0.0, < 6.8.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tgstation13:tgstation-server:4.0.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tgstation-server",
"vendor": "tgstation13",
"versions": [
{
"lessThan": "6.8.0",
"status": "affected",
"version": "4.0.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T17:40:12.363650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T17:42:45.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4"
},
{
"name": "https://github.com/tgstation/tgstation-server/pull/1835",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tgstation/tgstation-server/pull/1835"
},
{
"name": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tgstation-server",
"vendor": "tgstation",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 6.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \"Set .dme Path\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:00:23.851Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4"
},
{
"name": "https://github.com/tgstation/tgstation-server/pull/1835",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tgstation/tgstation-server/pull/1835"
},
{
"name": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4"
}
],
"source": {
"advisory": "GHSA-c3h4-9gc2-f7h4",
"discovery": "UNKNOWN"
},
"title": "tgstation-server\u0027s DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41799",
"datePublished": "2024-07-29T15:00:23.851Z",
"dateReserved": "2024-07-22T13:57:37.134Z",
"dateUpdated": "2024-08-02T04:46:52.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"name\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"name\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"name\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:46:52.940Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41799\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-29T17:40:12.363650Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:tgstation13:tgstation-server:4.0.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"tgstation13\", \"product\": \"tgstation-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0.0\", \"lessThan\": \"6.8.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-29T17:42:40.681Z\"}}], \"cna\": {\"title\": \"tgstation-server\u0027s DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users\", \"source\": {\"advisory\": \"GHSA-c3h4-9gc2-f7h4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"tgstation\", \"product\": \"tgstation-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 6.8.0\"}]}], \"references\": [{\"url\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"name\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"name\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"name\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \\\"Set .dme Path\\\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-29T15:00:23.851Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-41799\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:46:52.940Z\", \"dateReserved\": \"2024-07-22T13:57:37.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-29T15:00:23.851Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…