Lucene search

GitHub_MCVELIST:CVE-2023-34243

HistoryJun 08, 2023 - 9:09 p.m.

CVE-2023-34243 Windows user name disclosure in TGstation

2023-06-0821:09:14

CWE-200

GitHub_M

www.cve.org

tgstation

windows

username disclosure

version 5.12.5

upgrade

mitigation

rate-limiting

fail2ban

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

30.6%

JSON

TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.

CNA Affected

[
  {
    "vendor": "tgstation",
    "product": "tgstation-server",
    "versions": [
      {
        "version": ">= 4.0.0, < 5.12.5",
        "status": "affected"
      }
    ]
  }
]

References

github.com/tgstation/tgstation-server/pull/1526

github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

30.6%

JSON

Related for CVELIST:CVE-2023-34243