CVE-2023-49094
Symbolicator Server Side Request Forgery vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
Symbolicator es un servicio de simbolización para seguimientos de pila y minivolcados nativos con soporte de servidor de símbolos. Un atacante podría hacer que Symbolicator envíe solicitudes GET HTTP arbitrarias a direcciones IP internas mediante el uso de un endpoint HTTP especialmente manipulado. La respuesta podría reflejarse al atacante si tiene una cuenta en la instancia Sentry. El problema se solucionó en la versión 23.11.2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-21 CVE Reserved
- 2023-11-30 CVE Published
- 2024-08-02 CVE Updated
- 2024-10-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a | 2023-12-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sentry Search vendor "Sentry" | Symbolicator Search vendor "Sentry" for product "Symbolicator" | >= 0.3.3 < 23.11.2 Search vendor "Sentry" for product "Symbolicator" and version " >= 0.3.3 < 23.11.2" | - |
Affected
| ||||||