Mr-N30

**Name of the Vulnerable Software and Affected Versions** Apache Druid versions 0.18.0 through 30.0.0 **Description** The issue is a Padding Oracle vulnerability in the Apache Druid extension, druid-pac4j, which could allow an attacker to manipulate a pac4j session cookie. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this issue. While there is no known way to meaningfully exploit this flaw, it is recommended to take precautions. **Recommendations** For Apache Druid versions 0.18.0 through 30.0.0, upgrade to version 30.0.1 or higher to fix the issue. Ensure a strong `druid.auth.pac4j.cookiePassphrase` is set as a precaution.

**Name of the Vulnerable Software and Affected Versions** Dispatch versions prior to 20230817 **Description** Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. **Recommendations** To resolve the issue, rotate the secret stored in the `DISPATCH JWT SECRET` envvar in the `.env` file. Upgrade to the 20230817 release or later, which includes the fix for this issue.