CVE-2023-40171

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40171

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40171.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40171

Aliases

GHSA-fv3x-67q3-6pg7

Published

2023-08-17T21:19:28.326Z

Modified

2025-12-05T00:03:26.350002Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Dispatch writes JWT tokens in error message

Details

Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the Dispatch Plugin - Basic Authentication Provider plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the Dispatch Plugin - Basic Authentication Provider plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. If you think that you may be impacted, we strongly suggest you to rotate the secret stored in the DISPATCH_JWT_SECRET envvar in the .env file. This issue has been addressed in commit b1942a4319 which has been included in the 20230817 release. users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-209"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40171.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/netflix/dispatch

Affected ranges

Type: GIT
Repo: https://github.com/netflix/dispatch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7220394277cac500e759ee112444077332bba51f

Affected versions

Other

fix-test-vars

v202001207

v20200421

v20200503

v20200506

v20200922

v20201001

v20201013

v20201027

v20201106

v20201119

v20201207

v202030505

v20210112

v20210210

v20210212

v20210224

v20210319

v20210506

v20210603

v20210714

v20210804

v20210913

v20211015

v20211116

v20220119

v20220214

v20220310

v20220322

v20220428

v20220504

v20220607

v20220706

v20220801

v20220915

v20221110

v20221207

v20230131

v20230213

v20230215

v20230309

v20230409

v20230606

v20200922.*

v20200922.1

v20210804.*

v20210804.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40171.json"