CVE-2023-32687

EPSS 0.2%
Veröffentlicht 29.05.2023 21:15:10
Zuletzt bearbeitet 21.11.2024 08:03:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tgstation13 ≫ Tgstation-server Version >= 4.7.0 < 5.12.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.416

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://github.com/tgstation/tgstation-server/pull/1487

Patch

https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1

Release Notes

https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32687

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32687

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32687

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32687