CVE-2023-32687

EUVD-2023-36922

29.05.2023, 21:15

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.7 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
GitHub_M	CNA	7.7 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Affected Products (NVD)

Vendor	Product	Version
tgstation13	tgstation-server	4.7.0 ≤ 𝑥 < 5.12.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-522 - Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References

https://github.com/tgstation/tgstation-server/pull/1487

https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1

https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp

https://github.com/tgstation/tgstation-server/pull/1487

https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1

https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp