CVE-2024-45605

Improper authorization on deletion of user issue alert notifications in sentry

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-02 CVE Reserved
2024-09-17 CVE Published
2024-09-18 CVE Updated
2024-09-27 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-639: Authorization Bypass Through User-Controlled Key

CAPEC

References (3)

URL	Tag	Source
https://github.com/getsentry/self-hosted	X_refsource_misc
https://github.com/getsentry/sentry/pull/77093	X_refsource_misc
https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Getsentry Search vendor "Getsentry"		Sentry Search vendor "Getsentry" for product "Sentry"				>= 23.9.0 < 24.9.0 Search vendor "Getsentry" for product "Sentry" and version " >= 23.9.0 < 24.9.0"		en		Affected