CVE-2023-40171

Name of the Vulnerable Software and Affected Versions Dispatch versions prior to 20230817

Description Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the Dispatch Plugin - Basic Authentication Provider plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the Dispatch Plugin - Basic Authentication Provider plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs.

Recommendations To resolve the issue, rotate the secret stored in the DISPATCH JWT SECRET envvar in the .env file. Upgrade to the 20230817 release or later, which includes the fix for this issue.