Lucene search

GitHub_MCVELIST:CVE-2023-32687

HistoryMay 29, 2023 - 8:03 p.m.

CVE-2023-32687 Insufficiently Protected ChatBot Credentials in tgstation-server

2023-05-2920:03:05

CWE-522

GitHub_M

www.cve.org

tgstation-server

byond servers

chat bot connections

credentials

patch

workaround

security issue

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

CNA Affected

[
  {
    "vendor": "tgstation",
    "product": "tgstation-server",
    "versions": [
      {
        "version": ">= 4.7.0, < 5.12.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/tgstation/tgstation-server/pull/1487

github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1

github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

Related for CVELIST:CVE-2023-32687