CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24829 – SSRF in Sentry via Phabricator integration
https://notcve.org/view.php?id=CVE-2024-24829
Sentry is an error tracking and performance monitoring platform. Sentry’s integration platform provides a way for external services to interact with Sentry. One of such integrations, the Phabricator integration (maintained by Sentry) with version <=24.1.1 contains a constrained SSRF vulnerability. An attacker could make Sentry send POST HTTP requests to arbitrary URLs (including internal IP addresses) by providing an unsanitized input to the Phabricator integration. However, the body payload is constrained to a specific format. • https://github.com/getsentry/self-hosted/releases/tag/24.1.2 https://github.com/getsentry/sentry/pull/64882 https://github.com/getsentry/sentry/security/advisories/GHSA-rqxh-fp9p-p98r • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51451 – SSRF in symbolicator via invalid protocol
https://notcve.org/view.php?id=CVE-2023-51451
Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. • https://github.com/getsentry/self-hosted/releases/tag/23.12.1 https://github.com/getsentry/symbolicator/pull/1343 https://github.com/getsentry/symbolicator/releases/tag/23.12.1 https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50249 – Sentry's Astro SDK vulnerable to ReDoS
https://notcve.org/view.php?id=CVE-2023-50249
Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0. Sentry-Javascript es el SDK oficial de Sentry para JavaScript. • https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb https://github.com/getsentry/sentry-javascript/pull/9815 https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49094 – Symbolicator Server Side Request Forgery vulnerability
https://notcve.org/view.php?id=CVE-2023-49094
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2. Symbolicator es un servicio de simbolización para seguimientos de pila y minivolcados nativos con soporte de servidor de símbolos. • https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a https://github.com/getsentry/symbolicator/pull/1332 https://github.com/getsentry/symbolicator/releases/tag/23.11.2 https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46729 – Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint
https://notcve.org/view.php?id=CVE-2023-46729
sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0. sentry-javascript proporciona SDK de Sentry para JavaScript. Una entrada no sanitizada del endpoint del túnel SDK de Next.js permite enviar solicitudes HTTP a URL arbitrarias y reflejar la respuesta al usuario. • https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be https://github.com/getsentry/sentry-javascript/pull/9415 https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9 • CWE-918: Server-Side Request Forgery (SSRF) •