CVE-2023-32687

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tgstation/tgstation-server/pull/1487	Patch
https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1	Release Notes
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tgstation13:tgstation-server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-29 21:15

Updated : 2023-06-06 15:12

NVD link : CVE-2023-32687

Mitre link : CVE-2023-32687

CVE.ORG link : CVE-2023-32687

JSON object : View

Products Affected

tgstation13

tgstation-server

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2023-32687", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2023-05-29T21:15:10.053", "references": [{"url": "https://github.com/tgstation/tgstation-server/pull/1487", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety."}], "lastModified": "2023-06-06T15:12:31.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tgstation13:tgstation-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEDF294D-ADA6-45C2-9C45-CFFD516F33FC", "versionEndExcluding": "5.12.1", "versionStartIncluding": "4.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}