CVE-2023-40171 - Dispatch Security Incident Management Tool Leaks JWT Secret Key in Error Message

Dispatch is an open-source security incident management tool that organizations worldwide depend on for handling various security incidents. Recently, a vulnerability (CVE-2023-40171) was discovered in the Dispatch tool, which could result in potentially severe consequences for affected users. This blog post aims to inform users about the vulnerability, provide guidance on how to address it, and suggest possible mitigations.

The Vulnerability

The vulnerability in question is related to the Dispatch Plugin - Basic Authentication Provider plugin, which is used for handling authentication in Dispatch. When attempting to decode a JSON Web Token (JWT), if the plugin encounters an error, it exposes the JWT Secret Key used for signing JWT tokens in the server's response.

This issue potentially affects any Dispatch users who manage their instance and rely on the Dispatch Plugin - Basic Authentication Provider plugin for authentication. Exploiting this vulnerability, an attacker could gain unauthorized access to any account within the vulnerable Dispatch instance by using the leaked secret key to sign crafted JWTs.

Code Snippet

Below is a code snippet illustrating the issue in the vulnerable plugin.

def decode_jwt(token: str) -> Dict:
    jwt_secret = os.getenv("DISPATCH_JWT_SECRET")

    try:
        return jwt.decode(token, jwt_secret, algorithms=["HS256"])
    except Exception as e:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Could not decode JWT token.",
            headers={"error": str(e)},
        )

The issue lies in the headers={"error": str(e)} part, where the exception message containing the JWT secret key is exposed in the error response.

Fix and Recommendations

This vulnerability has been addressed in the recent Dispatch release, 20230817, which includes the commit b1942a4319. Users are advised to upgrade their Dispatch instance to this release as soon as possible. You can view the original patch commit here.

Additionally, if you believe you may be impacted by this vulnerability, it is strongly recommended to rotate the secret stored in the DISPATCH_JWT_SECRET environment variable in the .env file for added security.

At the time of writing, there are no known workarounds for this vulnerability. Therefore, it is essential to follow up on the provided recommendations to secure your Dispatch instance.

Conclusion

Security vulnerabilities can have far-reaching implications for organizations and users alike. Staying vigilant and proactive in addressing them is critical to maintaining a secure environment. With the information provided in this blog post, we hope that Dispatch users can better understand CVE-2023-40171 and take the necessary steps to remediate and protect their instances. Don't forget to check for updates and stay informed on security developments to safeguard your infrastructure effectively.

Timeline

Published on: 08/17/2023 22:15:00 UTC
Last modified on: 08/24/2023 15:11:00 UTC