CVE-2023-50249

Sentry's Astro SDK vulnerable to ReDoS

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0.

Sentry-Javascript es el SDK oficial de Sentry para JavaScript. Se ha identificado una vulnerabilidad ReDoS (Denegación de servicio de expresión regular) en Astro SDK 7.78.0-7.86.0 de Sentry. Bajo ciertas condiciones, esta vulnerabilidad permite que un atacante provoque tiempos de cálculo excesivos en el servidor, lo que lleva a una denegación de servicio (DoS). Esta vulnerabilidad ha sido parcheada en sentry/astro versión 7.87.0.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-05 CVE Reserved
2023-12-20 CVE Published
2024-08-02 CVE Updated
2024-11-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-1333: Inefficient Regular Expression Complexity

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb	2023-12-28
https://github.com/getsentry/sentry-javascript/pull/9815	2023-12-28

URL	Date	SRC
https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72	2023-12-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sentry Search vendor "Sentry"		Astro Search vendor "Sentry" for product "Astro"				>= 7.78.0 < 7.87.0 Search vendor "Sentry" for product "Astro" and version " >= 7.78.0 < 7.87.0"		node.js		Affected