CVE-2025-21611

EPSS 0.45%
Veröffentlicht 06.01.2025 16:15:31
Zuletzt bearbeitet 19.08.2025 13:17:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tgstation13 ≫ Tgstation-server Version >= 6.11.0 < 6.12.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.359

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/tgstation/tgstation-server/commit/e7b1189620baaf03c2d23f6e164d07c7c7d87d57

Patch

https://github.com/tgstation/tgstation-server/issues/2064

Issue Tracking

https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rf5r-q276-vrc4

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-21611

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-21611

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-21611

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-21611