CVE-2023-32687 - OpenCVE

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Tgstation13	Tgstation-server

Configuration 1 [-]

cpe:2.3:a:tgstation13:tgstation-server:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/tgstation/tgstation-server/pull/1487	Patch
https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1	Release Notes
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-29T20:03:05.983Z

Updated: 2023-05-29T20:03:05.983Z

Reserved: 2023-05-11T16:33:45.732Z

Link: CVE-2023-32687

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-29T21:15:10.053

Modified: 2023-06-06T15:12:31.750

Link: CVE-2023-32687

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-32687", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-11T16:33:45.732Z", "datePublished": "2023-05-29T20:03:05.983Z", "dateUpdated": "2023-05-29T20:03:05.983Z"}, "containers": {"cna": {"title": "Insufficiently Protected ChatBot Credentials in tgstation-server", "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp"}, {"name": "https://github.com/tgstation/tgstation-server/pull/1487", "tags": ["x_refsource_MISC"], "url": "https://github.com/tgstation/tgstation-server/pull/1487"}, {"name": "https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1"}], "affected": [{"vendor": "tgstation", "product": "tgstation-server", "versions": [{"version": ">= 4.7.0, < 5.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-29T20:03:05.983Z"}, "descriptions": [{"lang": "en", "value": "tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety."}], "source": {"advisory": "GHSA-rv76-495p-g7cp", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tgstation13:tgstation-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEDF294D-ADA6-45C2-9C45-CFFD516F33FC", "versionEndExcluding": "5.12.1", "versionStartIncluding": "4.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety."}], "id": "CVE-2023-32687", "lastModified": "2023-06-06T15:12:31.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-29T21:15:10.053", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tgstation/tgstation-server/pull/1487"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/tgstation/tgstation-server/releases/tag/tgstation-server-v5.12.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/tgstation/tgstation-server/security/advisories/GHSA-rv76-495p-g7cp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Secondary"}]}