CVE-2023-32687 Vulnerability Details

  /     /     /  

CVE-2023-32687 Metadata Quick Info

CVE Published: 29/05/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: tgstation | Product: tgstation-server
Status : PUBLISHED

---

CVE-2023-32687 Description

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

Metrics

CVSS Version: 3.1 | Base Score: 7.7 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-522
CWE Name: CWE-522: Insufficiently Protected Credentials
Source: tgstation

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).