GHSA-hvm9-wc8j-mgrc – tshock

Package

Manager: nuget
Name: tshock
Vulnerable Version: >=4.3.21 <5.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H

EPSS: N/A pctlN/A

Details

TShock Security Escalation Exploit ### Impact An issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects. Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID login enabled 2. An authenticated player disconnects 3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection 4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player ### Patches TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself. ### Workarounds Implement a RemoteClient reset event handler in a plugin like so: ```csharp public override void Initialize() { On.Terraria.RemoteClient.Reset += RemoteClient_Reset; } private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client) { client.ClientUUID = null; orig(client); } ```

Metadata

Created: 2024-12-18T18:19:12Z
Modified: 2024-12-18T18:19:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-hvm9-wc8j-mgrc/GHSA-hvm9-wc8j-mgrc.json
CWE IDs: ["CWE-305", "CWE-613", "CWE-863"]
Alternative ID: N/A
Finding: F062
Auto approve: 1