Cyber Resilience

CVE-2024-41799

High

Published: 29 July 2024

Published
29 July 2024
Modified
19 August 2025
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H
EPSS Score 0.0702 91.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41799 is a high-severity Path Traversal (CWE-22) vulnerability in Tgstation13 Tgstation-Server. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

tgstation-server is a tool for managing BYOND game servers. Prior to version 6.8.0, the product contained a path traversal weakness (CWE-22) that allowed holders of the isolated "Set .dme Path" privilege to designate arbitrary .dme files present on the host for compilation and execution. These files could have been placed via the separate upload privilege or by other means; when the instance was also configured to run under BYOND's trusted security level, the weakness could be chained to remote code execution through the shell() procedure.

An attacker therefore needs only low-privileged authenticated access plus the single targeted right; the resulting compromise can yield full control over the BYOND runtime and, by extension, the underlying host when trusted mode is enabled. The vendor notes that this vector bypasses the normal requirement for control over deployment sources and may not even need write access to an instance's Configuration directory.

Public advisories and the accompanying patches state that the issue is resolved in tgstation-server 6.8.0 and later; the fix is tracked in GitHub Security Advisory GHSA-c3h4-9gc2-f7h4 together with the referenced commits and pull request 1835. The EPSS score has remained flat at 0.0702 with no material increase after disclosure.

EU & UK References

Vulnerability details

tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme…

more

files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance's `Configuration` directory. This problem is fixed in versions 6.8.0 and above.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tgstation13
tgstation-server
4.0.0 — 6.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References