tgstation-server Role Authorization Vulnerability Allowing Unauthorized Access

A vulnerability in tgstation-server prior to version 6.12.3 allows enabled users to access most authorized API actions, regardless of their specific permissions. This issue arises because roles for authorizing API methods were incorrectly combined with the user-enabled role, allowing unauthorized access. However, the vulnerability does not affect the WriteUsers permission, preventing permanent elevation of account privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized access to API actions, allowing users to perform actions they are not permitted to.

Reproduction

The vulnerability can be reproduced by assigning a user any repository right that is not 'Read', while keeping 'WriteUsers' permission disabled. When the user accesses the API, they will be able to perform actions that their permissions do not typically allow.

Remediation

Users should upgrade to tgstation-server version 6.12.3, where this vulnerability has been patched. Instructions for updating can be found in the tgstation-server repository on GitHub.