← voltar
CVE-2023-32687

Insufficiently Protected ChatBot Credentials in tgstation-server

CVSS 7.7 HIGHEPSS 0.6%CWE-522
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 7.7EPSS 0.6%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
29 mai 2023Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Produtos afetados
tgstation · tgstation-server

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/tgstation/tgstation-server/pull/1487https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp