Описание
Sentry SDK Prototype Pollution gadget in JavaScript SDKs
Impact
In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
[!NOTE] This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version. Also, the fix was backported to SDK v7 in 7.119.1.
References
Ссылки
- https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-593m-55hh-j8gv
- https://github.com/getsentry/sentry-javascript/pull/13838
- https://github.com/getsentry/sentry-javascript/commit/35bdc87dee3498794e34c1ad35dd9927950c8766
- https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1
- https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0
Пакеты
@sentry/browser
>= 8.0.0-alpha.1, < 8.33.0
8.33.0
@sentry/browser
< 7.119.1
7.119.1
6.3 Medium
CVSS4
5.6 Medium
CVSS3
Дефекты
6.3 Medium
CVSS4
5.6 Medium
CVSS3