CVE-2023-33198: 
TG Station Server vulnerability analysis and mitigation

CVE-2023-33198 affects tgstation-server, a production scale tool for BYOND server management. The vulnerability was discovered and disclosed in May 2023, affecting versions from 4.0.0 up to (excluding) 5.12.2. The issue involves the DreamMaker API (DMAPI) chat channel cache potentially being poisoned during tgstation-server (TGS) restart and reattach operations (GitHub Advisory).

The vulnerability stems from incorrect specification of chat message destinations in the DreamMaker API and tgstation-server. When TGS restarts and reattaches, the DMAPI chat channel cache can become poisoned, leading to potential message misdirection. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N, indicating network attack vector with high complexity and no privileges required (GitHub Advisory).

When exploited, this vulnerability can result in chat messages being sent to any of the configured IRC or Discord channels for the instance on enabled chat bots. The condition persists until either the instance's chat channels are updated in TGS or DreamDaemon is restarted. While TGS chat commands remain unaffected, this could lead to information disclosure through misdirected messages (GitHub Advisory).

Several workarounds are available for affected versions: avoid restarting TGS with an active watchdog on instances with sensitive chat channels, update the codebase to a patched DMAPI version, trigger watchdog restarts after TGS restarts, disallow DreamMaker code from sending sensitive messages, or remove sensitive message enabled channels from active Chat Bots. The vulnerability has been patched in tgstation-server version 5.12.2 and DreamMaker API version 6.4.4 (GitHub Advisory, Release Notes).