Vulnerability Description
tgstation-server is a production scale tool for BYOND server management. The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This can result in sending chat messages to one of any of the configured IRC or Discord channels for the instance on enabled chat bots. This lasts until the instance's chat channels are updated in TGS or DreamDaemon is restarted. TGS chat commands are unaffected, custom or otherwise.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tgstation13 | Tgstation-Server | >= 4.0.0, < 5.12.2 |
Related Weaknesses (CWE)
References
- https://github.com/tgstation/tgstation-server/pull/1493PatchVendor Advisory
- https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.1Release Notes
- https://github.com/tgstation/tgstation-server/security/advisories/GHSA-p2xj-w57rPatchVendor Advisory
- https://github.com/tgstation/tgstation-server/pull/1493PatchVendor Advisory
- https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.1Release Notes
- https://github.com/tgstation/tgstation-server/security/advisories/GHSA-p2xj-w57rPatchVendor Advisory
FAQ
What is CVE-2023-33198?
CVE-2023-33198 is a vulnerability with a CVSS score of 6.1 (MEDIUM). tgstation-server is a production scale tool for BYOND server management. The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This c...
How severe is CVE-2023-33198?
CVE-2023-33198 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-33198?
Check the references section above for vendor advisories and patch information. Affected products include: Tgstation13 Tgstation-Server.