Dispatch writes JWT tokens in error message

Vulnerability

The vulnerability resides in the Dispatch Plugin - Basic Authentication Provider plugin. When the plugin attempts to decode a malformed JWT token, the error handler includes the DISPATCH_JWT_SECRET value in the HTTP 401 response detail. This affects all Dispatch instances using the Basic Authentication Provider prior to commit b1942a4319 (release 20230817). [3][4]

Exploitation

An attacker with network access to a vulnerable Dispatch instance can send a crafted invalid JWT token to the authentication endpoint. The server responds with an error message containing the JWT secret key. The attacker then uses this secret to sign arbitrary JWTs, impersonating any user. [3]

Impact

Successful exploitation allows full account takeover within the Dispatch instance. The attacker can forge tokens for any email address, gaining the privileges of that user, including administrative access if the target account has such rights. [3]

Mitigation

Upgrade to Dispatch release 20230817 or later, which includes commit b1942a4319 that removes the secret from error messages. After upgrading, rotate the DISPATCH_JWT_SECRET environment variable in the .env file. No workarounds are available. [3][4]