CVE-2023-34243
MEDIUMtgstation-server 4.0.0-5.12.4 - Unauthenticated Username Enumeration via Login Endpoint Brute Force
Title source: llmDescription
TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph
Issue Tracking, Patch x_refsource_misc
https://github.com/tgstation/tgstation-server/pull/1526
Scores
CVSS v3
5.8
EPSS
0.0046
EPSS Percentile
36.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-307
Status
published
Products (1)
tgstation13/tgstation-server
4.0.0.0 - 5.12.5
Published
Jun 08, 2023
Tracked Since
Feb 18, 2026