CVE-2018-17107

Name of the Vulnerable Software and Affected Versions tgstation-server versions 3.2.1.0 through 3.2.4.0

Description The issue allows active logins to be cached, enabling subsequent logins to succeed with any username or password. This is due to a bug in the WCF communication layer, where the authPolicy parameter is used incorrectly, causing the server to cache previously returned policies. The bug was introduced to accommodate running the Control Panel using Mono.

Recommendations For versions 3.2.1.0 through 3.2.4.0, update to version 3.2.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.