CVE-2023-51451
SSRF in symbolicator via invalid protocol
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`.
Symbolicator es un servicio utilizado en Sentry. A partir de la versión 0.3.3 de Symbolicator y antes de la versión 21.12.1, un atacante podría hacer que Symbolicator enviara solicitudes HTTP GET a URL arbitrarias con direcciones IP internas mediante el uso de un protocolo no válido. Las respuestas a esas solicitudes podrían exponerse a través de la API de Symbolicator. En las instancias de Sentry afectadas, los datos podrían quedar expuestos a través de la API de Sentry y la interfaz de usuario si el atacante tiene una cuenta registrada. El problema se solucionó en la versión 23.12.1 de Symbolicator, la versión 23.12.1 autohospedada de Sentry y ya se mitigó en sentry.io el 18 de diciembre de 2023. Si no es posible actualizar, hay otras mitigaciones disponibles. Se puede deshabilitar el procesamiento de JS activando la opción "Allow JavaScript Source Fetching" en "Organization Settings > Security & Privacy" y/o deshabilitar todos los repositorios públicos que no sean de confianza en "Project Settings > Debug Files". Alternativamente, si no se requieren JavaScript ni la simbolización nativa, desactive Symbolicator por completo en `config.yml`.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-12-19 CVE Reserved
- 2023-12-22 CVE Published
- 2024-01-04 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/getsentry/self-hosted/releases/tag/23.12.1 | Release Notes | |
https://github.com/getsentry/symbolicator/releases/tag/23.12.1 | Release Notes |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/getsentry/symbolicator/pull/1343 | 2024-01-03 | |
https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r | 2024-01-03 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sentry Search vendor "Sentry" | Symbolicator Search vendor "Sentry" for product "Symbolicator" | >= 0.3.3 < 23.12.1 Search vendor "Sentry" for product "Symbolicator" and version " >= 0.3.3 < 23.12.1" | - |
Affected
|