CVE-2024-41799 (GCVE-0-2024-41799)

Vulnerability from cvelistv5 – Published: 2024-07-29 15:00 – Updated: 2024-08-02 04:46
VLAI?
Title
tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users
Summary
tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance's `Configuration` directory. This problem is fixed in versions 6.8.0 and above.
Severity ?
8.4 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
tgstation tgstation-server Affected: >= 4.0.0, < 6.8.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:tgstation13:tgstation-server:4.0.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "tgstation-server",
            "vendor": "tgstation13",
            "versions": [
              {
                "lessThan": "6.8.0",
                "status": "affected",
                "version": "4.0.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41799",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-29T17:40:12.363650Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-29T17:42:45.745Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:46:52.940Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4"
          },
          {
            "name": "https://github.com/tgstation/tgstation-server/pull/1835",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tgstation/tgstation-server/pull/1835"
          },
          {
            "name": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tgstation-server",
          "vendor": "tgstation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 6.8.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \"Set .dme Path\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-29T15:00:23.851Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4"
        },
        {
          "name": "https://github.com/tgstation/tgstation-server/pull/1835",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tgstation/tgstation-server/pull/1835"
        },
        {
          "name": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4"
        }
      ],
      "source": {
        "advisory": "GHSA-c3h4-9gc2-f7h4",
        "discovery": "UNKNOWN"
      },
      "title": "tgstation-server\u0027s DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-41799",
    "datePublished": "2024-07-29T15:00:23.851Z",
    "dateReserved": "2024-07-22T13:57:37.134Z",
    "dateUpdated": "2024-08-02T04:46:52.940Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"name\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"name\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"name\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:46:52.940Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41799\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-29T17:40:12.363650Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:tgstation13:tgstation-server:4.0.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"tgstation13\", \"product\": \"tgstation-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0.0\", \"lessThan\": \"6.8.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-29T17:42:40.681Z\"}}], \"cna\": {\"title\": \"tgstation-server\u0027s DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users\", \"source\": {\"advisory\": \"GHSA-c3h4-9gc2-f7h4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"tgstation\", \"product\": \"tgstation-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 6.8.0\"}]}], \"references\": [{\"url\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"name\": \"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"name\": \"https://github.com/tgstation/tgstation-server/pull/1835\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"name\": \"https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the \\\"Set .dme Path\\\" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND\u0027s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND\u0027s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance\u0027s `Configuration` directory. This problem is fixed in versions 6.8.0 and above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-29T15:00:23.851Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-41799\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:46:52.940Z\", \"dateReserved\": \"2024-07-22T13:57:37.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-29T15:00:23.851Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.