2 results (0.011 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. • https://github.com/getsentry/self-hosted/releases/tag/23.12.1 https://github.com/getsentry/symbolicator/pull/1343 https://github.com/getsentry/symbolicator/releases/tag/23.12.1 https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2. Symbolicator es un servicio de simbolización para seguimientos de pila y minivolcados nativos con soporte de servidor de símbolos. • https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a https://github.com/getsentry/symbolicator/pull/1332 https://github.com/getsentry/symbolicator/releases/tag/23.11.2 https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6 • CWE-918: Server-Side Request Forgery (SSRF) •