CVE-2023-34243

Windows user name disclosure in TGstation

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.

TGstation es un conjunto de herramientas para gestionar servidores BYOND de producción. En las versiones afectadas, si un usuario de Windows estaba registrado en "tgstation-server (TGS)", un atacante podía descubrir su nombre de usuario forzando el endpoint de inicio de sesión con una contraseña no válida. Cuando se encontraba un inicio de sesión de Windows válido, se generaba una respuesta distinta. Este problema se ha solucionado en la versión 5.12.5. Se recomienda a los usuarios que la actualicen. Los usuarios que no puedan actualizar pueden mitigar el problema limitando la velocidad de las llamadas a la API con un software que se sitúe delante de TGS en el canal HTTP, como por ejemplo fail2ban.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-05-31 CVE Reserved
2023-06-08 CVE Published
2024-12-29 EPSS Updated
2025-01-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-307: Improper Restriction of Excessive Authentication Attempts

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/tgstation/tgstation-server/pull/1526	2023-06-15

URL	Date	SRC
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph	2023-06-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tgstation13 Search vendor "Tgstation13"		Tgstation-server Search vendor "Tgstation13" for product "Tgstation-server"				>= 4.0.0.0 < 5.12.5 Search vendor "Tgstation13" for product "Tgstation-server" and version " >= 4.0.0.0 < 5.12.5"		-		Affected