{"id":"CVE-2020-16136","details":"In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any file on the server machine (accessible by the owner of the server process) via directory traversal ../ sequences in /Administration/Logs/ requests. The attacker is unable to enumerate files, however.","modified":"2026-04-11T20:33:18.490452Z","published":"2020-07-31T16:15:11.120Z","related":["GHSA-r8pp-42wr-2gc4"],"references":[{"type":"ADVISORY","url":"https://github.com/tgstation/tgstation-server"},{"type":"ADVISORY","url":"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-r8pp-42wr-2gc4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tgstation/tgstation-server","events":[{"introduced":"0"},{"last_affected":"e9ecf4f382cb3581e52881e2479a0eec5f12612c"},{"last_affected":"5432ae41ccab80a0f5b6af17e3bda9c290aaee94"}],"database_specific":{"cpe":["cpe:2.3:a:tgstation13:tgstation-server:4.4.0:*:*:*:*:*:*:*","cpe:2.3:a:tgstation13:tgstation-server:4.4.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"4.4.0"},{"last_affected":"4.4.1"}],"source":"CPE_FIELD"}}],"versions":["api-v6.3.0","api-v6.4.0","api-v6.4.1","api-v6.5.0","api-v6.5.1","api-v6.6.0","dmapi-v5.1.1","dmapi-v5.2.0","dmapi-v5.2.1","tgstation-server-v3.0.78.0","tgstation-server-v3.0.79.0","tgstation-server-v3.0.80.0","tgstation-server-v3.0.81.0","tgstation-server-v3.0.82.0","tgstation-server-v3.0.83.0","tgstation-server-v3.0.84.0","tgstation-server-v3.0.85.0","tgstation-server-v3.0.85.2","tgstation-server-v3.0.85.3","tgstation-server-v3.0.85.4","tgstation-server-v3.0.86.0","tgstation-server-v3.0.87.0","tgstation-server-v3.0.88.0","tgstation-server-v3.0.89.0","tgstation-server-v3.0.90.0","tgstation-server-v3.0.90.1","tgstation-server-v3.0.90.2","tgstation-server-v3.1.0.1","tgstation-server-v3.1.0.2","tgstation-server-v3.1.0.3","tgstation-server-v3.1.0.4","tgstation-server-v3.1.0.5","tgstation-server-v3.1.0.6","tgstation-server-v3.1.0.7","tgstation-server-v3.1.0.8","tgstation-server-v3.1.1.0","tgstation-server-v3.1.2.0","tgstation-server-v3.1.2.1","tgstation-server-v3.1.2.2","tgstation-server-v3.1.3.0","tgstation-server-v3.1.3.1","tgstation-server-v3.1.3.2","tgstation-server-v3.1.4.0","tgstation-server-v3.1.4.1","tgstation-server-v3.1.5.0","tgstation-server-v3.1.5.1","tgstation-server-v3.1.6.0","tgstation-server-v3.1.6.1","tgstation-server-v3.1.6.2","tgstation-server-v3.1.6.3","tgstation-server-v3.1.6.4","tgstation-server-v3.1.6.5","tgstation-server-v3.1.6.6","tgstation-server-v3.2.0.0","tgstation-server-v3.2.0.1","tgstation-server-v3.2.0.10","tgstation-server-v3.2.0.11","tgstation-server-v3.2.0.12","tgstation-server-v3.2.0.13","tgstation-server-v3.2.0.14","tgstation-server-v3.2.0.15","tgstation-server-v3.2.0.16","tgstation-server-v3.2.0.17","tgstation-server-v3.2.0.2","tgstation-server-v3.2.0.3","tgstation-server-v3.2.0.4","tgstation-server-v3.2.0.5","tgstation-server-v3.2.0.6","tgstation-server-v3.2.0.7","tgstation-server-v3.2.0.8","tgstation-server-v3.2.0.9","tgstation-server-v3.2.1.0","tgstation-server-v3.2.1.1","tgstation-server-v3.2.1.10","tgstation-server-v3.2.1.11","tgstation-server-v3.2.1.12","tgstation-server-v3.2.1.13","tgstation-server-v3.2.1.14","tgstation-server-v3.2.1.15","tgstation-server-v3.2.1.2","tgstation-server-v3.2.1.3","tgstation-server-v3.2.1.4","tgstation-server-v3.2.1.5","tgstation-server-v3.2.1.6","tgstation-server-v3.2.1.7","tgstation-server-v3.2.1.8","tgstation-server-v3.2.1.9","tgstation-server-v3.2.2.0","tgstation-server-v3.2.2.1","tgstation-server-v3.2.2.2","tgstation-server-v3.2.2.3","tgstation-server-v3.2.2.4","tgstation-server-v3.2.3.0","tgstation-server-v3.2.3.2","tgstation-server-v3.2.3.3","tgstation-server-v3.2.3.4","tgstation-server-v3.2.3.5","tgstation-server-v3.2.3.6","tgstation-server-v3.2.3.7","tgstation-server-v4.0.0.0","tgstation-server-v4.0.0.1","tgstation-server-v4.0.0.2","tgstation-server-v4.0.0.3","tgstation-server-v4.0.0.4","tgstation-server-v4.0.0.5","tgstation-server-v4.0.0.6","tgstation-server-v4.0.1.0","tgstation-server-v4.0.1.1","tgstation-server-v4.0.1.2","tgstation-server-v4.0.1.3","tgstation-server-v4.0.1.4","tgstation-server-v4.0.2.0","tgstation-server-v4.0.2.1","tgstation-server-v4.1.0","tgstation-server-v4.1.1","tgstation-server-v4.1.2","tgstation-server-v4.1.3","tgstation-server-v4.1.4","tgstation-server-v4.2.0","tgstation-server-v4.2.1","tgstation-server-v4.2.2","tgstation-server-v4.2.3","tgstation-server-v4.2.4","tgstation-server-v4.2.5","tgstation-server-v4.2.6","tgstation-server-v4.2.7","tgstation-server-v4.2.8","tgstation-server-v4.3.0","tgstation-server-v4.3.1","tgstation-server-v4.3.2","tgstation-server-v4.3.3","tgstation-server-v4.3.4","tgstation-server-v4.3.5","tgstation-server-v4.3.6","tgstation-server-v4.4.0","tgstation-server-v4.4.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-16136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}]}