CVE-2024-41799 (GCVE-0-2024-41799)
Vulnerability from cvelistv5
Published
2024-07-29 15:00
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance's `Configuration` directory. This problem is fixed in versions 6.8.0 and above.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tgstation | tgstation-server |
Version: >= 4.0.0, < 6.8.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tgstation13:tgstation-server:4.0.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tgstation-server",
"vendor": "tgstation13",
"versions": [
{
"lessThan": "6.8.0",
"status": "affected",
"version": "4.0.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T17:40:12.363650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T17:42:45.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4"
},
{
"name": "https://github.com/tgstation/tgstation-server/pull/1835",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tgstation/tgstation-server/pull/1835"
},
{
"name": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tgstation-server",
"vendor": "tgstation",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 6.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \"Set .dme Path\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:00:23.851Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4"
},
{
"name": "https://github.com/tgstation/tgstation-server/pull/1835",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tgstation/tgstation-server/pull/1835"
},
{
"name": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4"
}
],
"source": {
"advisory": "GHSA-c3h4-9gc2-f7h4",
"discovery": "UNKNOWN"
},
"title": "tgstation-server\u0027s DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41799",
"datePublished": "2024-07-29T15:00:23.851Z",
"dateReserved": "2024-07-22T13:57:37.134Z",
"dateUpdated": "2024-08-02T04:46:52.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-41799\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-29T15:15:16.267\",\"lastModified\":\"2025-08-19T14:35:40.017\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \\\"Set .dme Path\\\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above.\"},{\"lang\":\"es\",\"value\":\"tgstation-server es una herramienta a escala de producci\u00f3n para la gesti\u00f3n de servidores BYOND. Antes de 6.8.0, los usuarios con permisos bajos que usaban el privilegio \\\"Set .dme Path\\\" pod\u00edan configurar archivos .dme maliciosos existentes en la m\u00e1quina host para compilarlos y ejecutarlos. Estos archivos .dme se pueden cargar a trav\u00e9s del servidor tgstation (que requiere un privilegio aislado e independiente) o por alg\u00fan otro medio. Un servidor configurado para ejecutarse en el nivel de seguridad confiable de BYOND (que requiere un tercer privilegio separado y aislado O que lo establezca otro usuario) podr\u00eda llevar a que esto se convierta en una ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s del proceso shell() de BYOND. La capacidad de ejecutar este tipo de ataque es un efecto secundario conocido de tener usuarios privilegiados de TGS, pero normalmente requiere m\u00faltiples privilegios con debilidades conocidas. Este vector no es intencional ya que no requiere control sobre el origen del c\u00f3digo de implementaci\u00f3n y _puede_ no requerir acceso de escritura remota al directorio \\\"Configuration\\\" de una instancia. Este problema se solucion\u00f3 en las versiones 6.8.0 y superiores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tgstation13:tgstation-server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"6.8.0\",\"matchCriteriaId\":\"D5027F60-9636-4DD0-AFC9-8B6A7A64E3B9\"}]}]}],\"references\":[{\"url\":\"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tgstation/tgstation-server/pull/1835\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tgstation/tgstation-server/pull/1835\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"name\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"name\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"name\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:46:52.940Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41799\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-29T17:40:12.363650Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:tgstation13:tgstation-server:4.0.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"tgstation13\", \"product\": \"tgstation-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0.0\", \"lessThan\": \"6.8.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-29T17:42:40.681Z\"}}], \"cna\": {\"title\": \"tgstation-server\u0027s DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users\", \"source\": {\"advisory\": \"GHSA-c3h4-9gc2-f7h4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"tgstation\", \"product\": \"tgstation-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 6.8.0\"}]}], \"references\": [{\"url\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"name\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"name\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"name\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \\\"Set .dme Path\\\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-29T15:00:23.851Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-41799\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:46:52.940Z\", \"dateReserved\": \"2024-07-22T13:57:37.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-29T15:00:23.851Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…