CVE-2023-40171

Public Exploit
Dispatch writes JWT tokens in error message

Description

Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. If you think that you may be impacted, we strongly suggest you to rotate the secret stored in the `DISPATCH_JWT_SECRET` envvar in the `.env` file. This issue has been addressed in commit `b1942a4319` which has been included in the `20230817` release. users are advised to upgrade. There are no known workarounds for this vulnerability.

Category

9.1
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.10%
Third-Party Advisory github.com
Affected: Netflix dispatch
Published at:
Updated at:

References

Link Tags
https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7 third party advisory exploit
https://github.com/Netflix/dispatch/pull/3695 patch
https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70 patch
https://github.com/Netflix/dispatch/releases/tag/latest release notes

Frequently Asked Questions

What is the severity of CVE-2023-40171?
CVE-2023-40171 has been scored as a critical severity vulnerability.
How to fix CVE-2023-40171?
To fix CVE-2023-40171, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-40171 being actively exploited in the wild?
It is possible that CVE-2023-40171 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40171?
CVE-2023-40171 affects Netflix dispatch.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.