CVE-2023-34243

Опубликовано: 08 июн. 2023

Источник: nvd

CVSS3: 5.8

CVSS3: 5.3

EPSS Низкий

Описание

TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.

Ссылки

https://github.com/tgstation/tgstation-server/pull/1526
Issue Tracking
Patch
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph
Mitigation
Vendor Advisory
https://github.com/tgstation/tgstation-server/pull/1526
Issue Tracking
Patch
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:tgstation13:tgstation-server:*:*:*:*:*:*:*:*

Версия от 4.0.0.0 (включая) до 5.12.5 (исключая)

EPSS

Процентиль: 40%

0.00185

Низкий

5.8 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-200

CWE-307

EPSS

Процентиль: 40%

0.00185

Низкий

5.8 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-200

CWE-307