CVE-2025-21611

Jan. 6, 2025, 4:15 p.m.

8.8
High

Description

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.

Product(s) Impacted

Product Versions
tgstation-server
  • before 6.12.3

Weaknesses

CWE-285
Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/tgstation/tgstation-server/commit/e7b1189620baaf03c2d23f6e164d07c7c7d87d57
https://github.com/tgstation/tgstation-server/issues/2064
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rf5r-q276-vrc4

Tags

security-advisories@github.com
CWE-285
2025-01-06
CVE-2025-21611

CVSS Score

8.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: Jan. 6, 2025, 4:15 p.m.
  • Last Modified: Jan. 6, 2025, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.