CVE-2023-49094

Опубликовано: 30 нояб. 2023

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

Ссылки

https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
Patch
Vendor Advisory
https://github.com/getsentry/symbolicator/pull/1332
Vendor Advisory
https://github.com/getsentry/symbolicator/releases/tag/23.11.2
Release Notes
Vendor Advisory
https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6
Mitigation
Vendor Advisory
https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
Patch
Vendor Advisory
https://github.com/getsentry/symbolicator/pull/1332
Vendor Advisory
https://github.com/getsentry/symbolicator/releases/tag/23.11.2
Release Notes
Vendor Advisory
https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sentry:symbolicator:*:*:*:*:*:*:*:*

Версия от 0.3.3 (включая) до 23.11.2 (исключая)

EPSS

Процентиль: 56%

0.00336

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-918