PT-2023-23962 · Unknown · Tgstation-Server
Cyberboss
·
Published
2023-05-29
·
Updated
2023-06-06
·
CVE-2023-32687
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
tgstation-server versions 4.7.0 through 5.12.1
Description
The issue allows instance users with the
list chat bots permission to read chat bot connection strings without the required permission. This affects a significant number of devices, but the exact number is not specified. As a workaround, removing the list chat bots permission from users who should not have access to connection strings can mitigate the issue. It is also recommended to invalidate any previously stored credentials for safety.Recommendations
For versions 4.7.0 through 5.12.1, update to version 5.12.1 to resolve the issue.
As a temporary workaround, consider removing the
list chat bots permission from users that should not have the ability to view connection strings.
Invalidate any credentials previously stored for safety.Exploit
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tgstation-Server