CVE-2023-34243: 
TG Station Server vulnerability analysis and mitigation

TGstation is a toolset to manage production BYOND servers. The vulnerability (CVE-2023-34243) was discovered in versions 4.0.0.0 through 5.12.5, where if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated (GitHub Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (MEDIUM) according to NVD, and 5.8 (MEDIUM) according to GitHub. The vulnerability is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N) (NVD).

The vulnerability allows attackers to discover valid Windows usernames registered in the TGstation server through brute-force attempts. When a valid Windows login is found, the system generates a distinct response that reveals the existence of that username, potentially exposing sensitive user information (GitHub Advisory).

The vulnerability has been patched in version 5.12.5. Users are advised to upgrade to this version or later. For users unable to upgrade, a workaround is available by implementing rate-limiting API calls using software that sits in front of TGS in the HTTP pipeline, such as fail2ban (GitHub Advisory).