CVE-2023-49094

EPSS 0.34%
Veröffentlicht 30.11.2023 05:15:09
Zuletzt bearbeitet 21.11.2024 08:32:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sentry ≫ Symbolicator Version >= 0.3.3 < 23.11.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.558

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a

Patch

Vendor Advisory

https://github.com/getsentry/symbolicator/pull/1332

Vendor Advisory

https://github.com/getsentry/symbolicator/releases/tag/23.11.2

Vendor Advisory

Release Notes

https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-49094