CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41799 – tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users
https://notcve.org/view.php?id=CVE-2024-41799
tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. • https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4 https://github.com/tgstation/tgstation-server/pull/1835 https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34243 – Windows user name disclosure in TGstation
https://notcve.org/view.php?id=CVE-2023-34243
TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. • https://github.com/tgstation/tgstation-server/pull/1526 https://github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33198 – Incorrectly Specified Chat Message Destinations in tgstation-server and DreamMaker API
https://notcve.org/view.php?id=CVE-2023-33198
tgstation-server is a production scale tool for BYOND server management. The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This can result in sending chat messages to one of any of the configured IRC or Discord channels for the instance on enabled chat bots. This lasts until the instance's chat channels are updated in TGS or DreamDaemon is restarted. TGS chat commands are unaffected, custom or otherwise. • https://github.com/tgstation/tgstation-server/pull/1493 https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.2 https://github.com/tgstation/tgstation-server/security/advisories/GHSA-p2xj-w57r-6f5m • CWE-941: Incorrectly Specified Destination in a Communication Channel •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32687 – Insufficiently Protected ChatBot Credentials in tgstation-server
https://notcve.org/view.php?id=CVE-2023-32687
tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety. • https://github.com/tgstation/tgstation-server/pull/1487 https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1 https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-16136
https://notcve.org/view.php?id=CVE-2020-16136
In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any file on the server machine (accessible by the owner of the server process) via directory traversal ../ sequences in /Administration/Logs/ requests. The attacker is unable to enumerate files, however. En tgstation-server versiones 4.4.0 y 4.4.1, un usuario autenticado con permiso para descargar registros puede descargar cualquier archivo en la máquina del servidor (accesible por el propietario del proceso del servidor) por medio de secuencias ../ de salto de directorio en peticiones a /Administration/Logs/. Sin embargo, el atacante no puede enumerar archivos • https://github.com/tgstation/tgstation-server https://github.com/tgstation/tgstation-server/security/advisories/GHSA-r8pp-42wr-2gc4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •