Lucene search

GitHub Advisory DatabaseGHSA-54M3-95J9-V89J

HistorySep 17, 2024 - 5:55 p.m.

Sentry improperly authorizes deletion of user issue alert notifications

2024-09-1717:55:29

CWE-639

GitHub Advisory Database

github.com

sentry

authorization

deletion

alert notifications

user issue

patch

scoped

self-hosted

upgrade

version 24.9.0

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

Impact

An authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.

References

Prevent muting user alerts

Affected configurations

Vulners

Node

sentrysentryRange23.9.0–24.9.0

VendorProductVersionCPE
sentrysentry*cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sentry	sentry	*	cpe:2.3:a:sentry:sentry::::::::

References

github.com/advisories/GHSA-54m3-95j9-v89j

github.com/getsentry/self-hosted

github.com/getsentry/sentry/commit/590258255bcb3a5fa4c56f21297b6c99131cfb9d

github.com/getsentry/sentry/pull/77093

github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j

nvd.nist.gov/vuln/detail/CVE-2024-45605

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

Related for GHSA-54M3-95J9-V89J