Security Researcher @thank_you discovered Access Control vulnerabilities in Netflix's open source Dispatch application. It is recommended to update to the latest version of Dispatch to patch the vulnerabilities.
These vulnerabilities in Dispatch allow a registering user to grant themselves administrative privileges, an authenticated user to either obtain general administrative access, and a user to access information associated with “restricted” incidents for which the user did not already have visibility. Given Dispatch’s intended purpose, we expect that the typical Dispatch service is deployed internally, and configured to allow access from trusted users in an organization. If Dispatch is deployed in this way, the risk is lower, as the attacker would have to have access to a legitimate user account.
The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, a user adding themselves as a participant in a restricted incident, and a user being able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user.
These vulnerabilities have been patched in the v20201106 release. Organizations or users of Dispatch should update to the most recent version to apply the patch. We have also published production deployment guidelines, to help with hardening Dispatch deployments. We recommend Dispatch operators to follow this guidance when deploying Dispatch in an organization.