Dispatch writes JWT tokens in error message
CVE-2023-40171

9.1CRITICAL

Key Information:

Vendor

Netflix

Status
Dispatch
Vendor
CVE Published:
17 August 2023
đź”” Create Netflix Vulnerability Alert

What is CVE-2023-40171?

The Dispatch management tool, developed by Netflix, has a vulnerability where the JWT Secret Key utilized for signing tokens is inadvertently revealed in error messages during token decoding failures by the Dispatch Plugin - Basic Authentication Provider. This exposure could potentially allow unauthorized users to craft their own JWTs and gain access to compromised accounts within an affected instance. Affected users are strongly encouraged to rotate their JWT Secret Key stored in the DISPATCH_JWT_SECRET environment variable in their .env file. The vulnerability has been resolved in the release dated August 17, 2023, and users should promptly upgrade to the latest version to ensure their instances remain secure. There are currently no workarounds available for this issue.

Affected Version(s)

dispatch < 20230817

References

https://github.com/Netflix/dispatch/security/advisories/G...
x_refsource_CONFIRM
https://github.com/Netflix/dispatch/pull/3695
x_refsource_MISC
https://github.com/Netflix/dispatch/commit/b1942a4319f0de...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.