Skip to content

Server-Side Template Injection in Dispatch Message Templates

Critical
metroid-samus published GHSA-mj34-2846-9c8c Jul 31, 2024

Package

No package listed

Affected versions

< v20240731

Patched versions

v20240731

Description

Advisory

ID: NFLX-2024-003
CVE: CVE-2024-7093
Title: Server-Side Template Injection in Dispatch Message Templates
Release Date: 2024-07-31
Severity: Critical
Credit: StrCXY

Overview:

Server-Side Template Injection in Dispatch Message Templates

Impact:

Authenticated users can achieve Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) using Dispatch's notification functionality if their instance contains an enabled message template containing malicious code.

Admin users have full access to create, edit, and delete these message templates. Non-admins can also exploit this vulnerability if they are the first to create a message template as they do not have the permissions to edit an existing message template.

All versions of Dispatch before #5002 are impacted and should be patched immediately.

To determine if your Dispatch deployment is affected, locate the version number (GitHub commit hash) in the help dropdown from the top menu bar. If this hash value comes after the fix c1626bf, your deployment is not impacted.

Description:

Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out.

Workarounds and Fixes

This issue was fixed in #5002 and a new release with the fix was created. Please, upgrade your Dispatch instances to the new version.

Severity

Critical

CVE ID

CVE-2024-7093

Weaknesses

No CWEs

Credits