Lucene search

GoogleOSV:GHSA-54M3-95J9-V89J

HistorySep 17, 2024 - 5:55 p.m.

Sentry improperly authorizes deletion of user issue alert notifications

2024-09-1717:55:29

Google

osv.dev

sentry

authorization

vulnerability

patch

saas

self-hosted

upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

Impact

An authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.

References

Prevent muting user alerts

References

github.com/getsentry/self-hosted

github.com/getsentry/sentry

github.com/getsentry/sentry/commit/590258255bcb3a5fa4c56f21297b6c99131cfb9d

github.com/getsentry/sentry/pull/77093

github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j

nvd.nist.gov/vuln/detail/CVE-2024-45605

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

Related for OSV:GHSA-54M3-95J9-V89J