CVE-2023-49094

Symbolicator Server Side Request Forgery vulnerability

CVSS 4.3 MEDIUMEPSS 0.7%CWE-918

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Produtos afetados

getsentry · symbolicator

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a https://github.com/getsentry/symbolicator/pull/1332 https://github.com/getsentry/symbolicator/releases/tag/23.11.2 https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6