CVE-2023-32687 HIGH

CVE-2023-32687: Insufficiently Protected ChatBot Credentials in tgstation-server

Vendor Tgstation
Product tgstation-server
Weakness CWE-522 · Insufficiently protected credentials
Published May 29, 2023
Last update January 13, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety.

Key dates

02Disclosure timeline

May 29, 2023 CVE published
January 13, 2025 Record updated