Lucene search

[email protected]NVD:CVE-2023-32687

HistoryMay 29, 2023 - 9:15 p.m.

CVE-2023-32687

2023-05-2921:15:10

CWE-522

[email protected]

web.nvd.nist.gov

tgstation-server

vulnerability

unauthorized access

chat bot

connection strings

security patch

workaround

credentials

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

Affected configurations

NVD

Node

tgstation13tgstation-serverRange4.7.0–5.12.1

References

github.com/tgstation/tgstation-server/pull/1487

github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1

github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.6%

JSON

Related for NVD:CVE-2023-32687

cve1 prion1 osv1 cvelist1