Vulnerability Description
tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tgstation13 | Tgstation-Server | >= 4.7.0, < 5.12.1 |
Related Weaknesses (CWE)
References
- https://github.com/tgstation/tgstation-server/pull/1487Patch
- https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.1Release Notes
- https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495pVendor Advisory
- https://github.com/tgstation/tgstation-server/pull/1487Patch
- https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.1Release Notes
- https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495pVendor Advisory
FAQ
What is CVE-2023-32687?
CVE-2023-32687 is a vulnerability with a CVSS score of 7.7 (HIGH). tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings...
How severe is CVE-2023-32687?
CVE-2023-32687 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-32687?
Check the references section above for vendor advisories and patch information. Affected products include: Tgstation13 Tgstation-Server.