TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NTgstation13 Tgstation Server
APPTgstation134.0.0.0 – 5.12.5 (bez)
Powiązane podatności
In Tgstation tgstation-server 3.2.4.0 through 3.2.1.0 (fixed in 3.2.5.0), active logins would be cached, allow...
tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to author...
tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users ...
tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12....
In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any f...