CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40171 – Dispatch writes JWT tokens in error message
https://notcve.org/view.php?id=CVE-2023-40171
Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. If you think that you may be impacted, we strongly suggest you to rotate the secret stored in the `DISPATCH_JWT_SECRET` envvar in the `.env` file. • https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70 https://github.com/Netflix/dispatch/pull/3695 https://github.com/Netflix/dispatch/releases/tag/latest https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9299
https://notcve.org/view.php?id=CVE-2020-9299
There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user. Se detectaron y reportaron vulnerabilidades de tipo XSS en la aplicación Dispatch, que afectaron los parámetros name y description de Incident Priority, Incident Type, Tag Type, e Incident Filter. Esta vulnerabilidad puede ser explotada por un usuario autenticado • https://github.com/Netflix/dispatch/releases/tag/v20201106 https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-004.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9300
https://notcve.org/view.php?id=CVE-2020-9300
The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user. Los problemas de Control de Acceso incluyen permitir a un usuario normal visualizar un incidente restringido, escalada de roles de usuario a administrador, usuarios que se agregan a sí mismos como participantes en un incidente restringido y usuarios capaces de visualizar incidentes restringidos por medio de la funcionalidad search. Si su instalación ha seguido las pautas de implementación segura, el riesgo de esto es reducido, ya que esto solo puede ser explotado por un usuario autenticado • https://github.com/Netflix/dispatch/releases/tag/v20201106 https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-005.md •