SCA: security update for Tgstation.Server.Api, Tgstation.Server.Host (GHSA-c3h4-9gc2-f7h4)

high Tenable Self-Hosted Container Security Plugin ID 413619

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission
users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host
machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a
separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted
security level (requiring a third separate, isolated privilege OR being set by another user) could lead to
this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of
attack is a known side effect of having privileged TGS users, but normally requires multiple privileges
with known weaknesses. This vector is not intentional as it does not require control over the where
deployment code is sourced from and _may_ not require remote write access to an instance's `Configuration`
directory. This problem is fixed in versions 6.8.0 and above. (CVE-2024-41799)

See Also

https://github.com/advisories/GHSA-c3h4-9gc2-f7h4

Plugin Details

Severity: High

ID: 413619

Version: Revision 1.21

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-41799

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.3

Threat Score: 4.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/29/2024

Vulnerability Publication Date: 7/29/2024

Reference Information

CVE: CVE-2024-41799

cwe: CWE-22