Login Sign Up

CVE-2023-40171

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Dispatch's Basic Authentication Provider plugin exposes the JWT secret key in error messages when JWT token decoding fails. Attackers can use this secret to forge valid JWT tokens and take over any account in affected Dispatch instances. Only users who run their own Dispatch instances with the Basic Authentication Provider plugin enabled are impacted.

💻 Affected Systems

Products:
  • Netflix Dispatch
Versions: All versions before 20230817 release
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances using the Dispatch Plugin - Basic Authentication Provider plugin. Cloud-hosted Dispatch instances are not affected.

📦 What is this software?

Dispatch by Netflix

View all CVEs affecting Dispatch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all user accounts in the Dispatch instance, allowing attackers to access sensitive incident data, modify configurations, and potentially pivot to other systems.

🟠

Likely Case

Attackers gain administrative access to the Dispatch instance, compromising security incident management data and potentially using the platform to launch further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the Dispatch instance itself, though sensitive incident data would still be compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires triggering an error in JWT token decoding to obtain the secret, then using standard JWT libraries to forge tokens.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20230817 release (commit b1942a4319)

Vendor Advisory: https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7

Restart Required: Yes

Instructions:

1. Update Dispatch to version 20230817 or later. 2. Rotate the DISPATCH_JWT_SECRET environment variable. 3. Restart the Dispatch service.

🧯 If You Can't Patch

  • Immediately rotate the DISPATCH_JWT_SECRET environment variable to a new random value
  • Disable the Basic Authentication Provider plugin if not required

🔍 How to Verify

Check if Vulnerable:

Check if Dispatch version is older than 20230817 and Basic Authentication Provider plugin is enabled

Check Version:

Check Dispatch version in web interface or deployment configuration

Verify Fix Applied:

Verify Dispatch version is 20230817 or newer and test that error messages no longer contain JWT secret

📡 Detection & Monitoring

Log Indicators:

  • Error messages containing JWT secret strings
  • Multiple failed JWT decoding attempts from single source

Network Indicators:

  • Unusual authentication patterns
  • Requests designed to trigger JWT decoding errors

SIEM Query:

dispatch logs containing 'JWT' AND 'secret' OR 'key' in error messages

📊 Metadata

CVE ID: CVE-2023-40171
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-209
Published: August 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40171, you might also want to check these:

CVE-2025-62168 10.0

Squid caching proxy versions before 7.2 fail to properly redact HTTP authentication credentials in e...

Same vulnerability type (CWE-209)
CVE-2025-46658 9.8

CVE-2025-46658 is an information disclosure vulnerability in 4C Strategies ExonautWeb where verbose ...

Same vulnerability type (CWE-209)
CVE-2024-6980 9.8

A verbose error handling issue in the GravityZone Update Server proxy service allows attackers to pe...

Same vulnerability type (CWE-209)