{"id":"CVE-2023-34243","summary":"Windows user name disclosure in TGstation","details":"TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.","aliases":["GHSA-w3jx-4x93-76ph"],"modified":"2026-04-10T04:58:25.723384Z","published":"2023-06-08T21:09:14.628Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34243.json","cwe_ids":["CWE-200"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34243.json"},{"type":"ADVISORY","url":"https://github.com/tgstation/tgstation-server/security/advisories/GHSA-w3jx-4x93-76ph"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34243"},{"type":"FIX","url":"https://github.com/tgstation/tgstation-server/pull/1526"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tgstation/tgstation-server","events":[{"introduced":"d1f36fece6f715bc85bd5c468618efea10b8a1b7"},{"fixed":"b86d678e9fc5dc4b81bf90a2959f7f25a81f7146"}]}],"versions":["api-v6.3.0","api-v6.4.0","api-v6.4.1","api-v6.5.0","api-v6.5.1","api-v6.6.0","api-v7.2.0","api-v7.2.1","api-v7.2.2","api-v7.2.3","api-v7.2.4","api-v7.3.0","api-v7.3.1","api-v7.3.2","api-v7.4.0","api-v8.3.0","api-v9.0.1","api-v9.1.0","api-v9.10.0","api-v9.10.1","api-v9.10.2","api-v9.3.0","api-v9.4.0","api-v9.5.0","api-v9.6.0","api-v9.7.0","api-v9.8.0","api-v9.8.1","api-v9.9.0","dmapi-v5.1.1","dmapi-v5.2.0","dmapi-v5.2.1","dmapi-v5.2.3","dmapi-v5.2.4","dmapi-v5.2.5","dmapi-v5.2.6","dmapi-v5.2.7","dmapi-v5.2.8","dmapi-v5.2.9","dmapi-v6.0.0","dmapi-v6.0.1","dmapi-v6.0.2","dmapi-v6.0.3","dmapi-v6.0.5","dmapi-v6.1.0","dmapi-v6.2.0","dmapi-v6.3.0","dmapi-v6.3.1","dmapi-v6.4.0","dmapi-v6.4.1","dmapi-v6.4.2","dmapi-v6.4.3","dmapi-v6.4.4","dmapi-v6.4.5","tgstation-server-migrator-1.0.0","tgstation-server-migrator-1.0.1","tgstation-server-v4.0.0.0","tgstation-server-v4.0.0.1","tgstation-server-v4.0.0.2","tgstation-server-v4.0.0.3","tgstation-server-v4.0.0.4","tgstation-server-v4.0.0.5","tgstation-server-v4.0.0.6","tgstation-server-v4.0.1.0","tgstation-server-v4.0.1.1","tgstation-server-v4.0.1.2","tgstation-server-v4.0.1.3","tgstation-server-v4.0.1.4","tgstation-server-v4.0.2.0","tgstation-server-v4.0.2.1","tgstation-server-v4.1.0","tgstation-server-v4.1.1","tgstation-server-v4.1.2","tgstation-server-v4.1.3","tgstation-server-v4.1.4","tgstation-server-v4.10.0","tgstation-server-v4.10.1","tgstation-server-v4.10.2","tgstation-server-v4.10.3","tgstation-server-v4.10.4","tgstation-server-v4.10.5","tgstation-server-v4.10.6","tgstation-server-v4.11.0","tgstation-server-v4.11.1","tgstation-server-v4.12.0","tgstation-server-v4.12.1","tgstation-server-v4.13.0","tgstation-server-v4.14.0","tgstation-server-v4.14.1","tgstation-server-v4.14.2","tgstation-server-v4.14.3","tgstation-server-v4.15.0","tgstation-server-v4.15.1","tgstation-server-v4.15.2","tgstation-server-v4.15.3","tgstation-server-v4.15.4","tgstation-server-v4.15.5","tgstation-server-v4.15.6","tgstation-server-v4.15.7","tgstation-server-v4.16.0","tgstation-server-v4.16.1","tgstation-server-v4.16.2","tgstation-server-v4.17.0","tgstation-server-v4.17.1","tgstation-server-v4.17.2","tgstation-server-v4.18.0","tgstation-server-v4.19.0","tgstation-server-v4.19.1","tgstation-server-v4.2.0","tgstation-server-v4.2.1","tgstation-server-v4.2.2","tgstation-server-v4.2.3","tgstation-server-v4.2.4","tgstation-server-v4.2.5","tgstation-server-v4.2.6","tgstation-server-v4.2.7","tgstation-server-v4.2.8","tgstation-server-v4.3.0","tgstation-server-v4.3.1","tgstation-server-v4.3.2","tgstation-server-v4.3.3","tgstation-server-v4.3.4","tgstation-server-v4.3.5","tgstation-server-v4.3.6","tgstation-server-v4.4.0","tgstation-server-v4.4.1","tgstation-server-v4.4.2","tgstation-server-v4.4.3","tgstation-server-v4.4.4","tgstation-server-v4.4.5","tgstation-server-v4.5.0","tgstation-server-v4.5.1","tgstation-server-v4.5.2","tgstation-server-v4.5.3","tgstation-server-v4.5.4","tgstation-server-v4.6.0","tgstation-server-v4.6.1","tgstation-server-v4.6.2","tgstation-server-v4.6.3","tgstation-server-v4.7.0","tgstation-server-v4.7.1","tgstation-server-v4.7.2","tgstation-server-v4.7.3","tgstation-server-v4.8.0","tgstation-server-v4.8.1","tgstation-server-v4.8.2","tgstation-server-v4.9.0","tgstation-server-v4.9.1","tgstation-server-v4.9.2","tgstation-server-v4.9.3","tgstation-server-v5.0.0","tgstation-server-v5.0.1","tgstation-server-v5.0.2","tgstation-server-v5.0.3","tgstation-server-v5.1.0","tgstation-server-v5.1.1","tgstation-server-v5.1.2","tgstation-server-v5.1.3","tgstation-server-v5.1.4","tgstation-server-v5.10.0","tgstation-server-v5.11.0","tgstation-server-v5.12.0","tgstation-server-v5.12.1","tgstation-server-v5.12.2","tgstation-server-v5.12.3","tgstation-server-v5.12.4","tgstation-server-v5.2.0","tgstation-server-v5.2.1","tgstation-server-v5.2.2","tgstation-server-v5.2.3","tgstation-server-v5.2.4","tgstation-server-v5.3.0","tgstation-server-v5.3.1","tgstation-server-v5.3.2","tgstation-server-v5.5.0","tgstation-server-v5.6.0","tgstation-server-v5.7.0","tgstation-server-v5.7.1","tgstation-server-v5.7.2","tgstation-server-v5.7.3","tgstation-server-v5.8.0","tgstation-server-v5.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34243.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}]}