CVE-2023-51451

SSRF in symbolicator via invalid protocol

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`.

Symbolicator es un servicio utilizado en Sentry. A partir de la versión 0.3.3 de Symbolicator y antes de la versión 21.12.1, un atacante podría hacer que Symbolicator enviara solicitudes HTTP GET a URL arbitrarias con direcciones IP internas mediante el uso de un protocolo no válido. Las respuestas a esas solicitudes podrían exponerse a través de la API de Symbolicator. En las instancias de Sentry afectadas, los datos podrían quedar expuestos a través de la API de Sentry y la interfaz de usuario si el atacante tiene una cuenta registrada. El problema se solucionó en la versión 23.12.1 de Symbolicator, la versión 23.12.1 autohospedada de Sentry y ya se mitigó en sentry.io el 18 de diciembre de 2023. Si no es posible actualizar, hay otras mitigaciones disponibles. Se puede deshabilitar el procesamiento de JS activando la opción "Allow JavaScript Source Fetching" en "Organization Settings > Security & Privacy" y/o deshabilitar todos los repositorios públicos que no sean de confianza en "Project Settings > Debug Files". Alternativamente, si no se requieren JavaScript ni la simbolización nativa, desactive Symbolicator por completo en `config.yml`.

*Credits: N/A

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-19 CVE Reserved
2023-12-22 CVE Published
2024-01-04 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (4)

URL	Tag	Source
https://github.com/getsentry/self-hosted/releases/tag/23.12.1	Release Notes
https://github.com/getsentry/symbolicator/releases/tag/23.12.1	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/getsentry/symbolicator/pull/1343	2024-01-03
https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r	2024-01-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sentry Search vendor "Sentry"		Symbolicator Search vendor "Sentry" for product "Symbolicator"				>= 0.3.3 < 23.12.1 Search vendor "Sentry" for product "Symbolicator" and version " >= 0.3.3 < 23.12.1"		-		Affected