CVE-2023-51451 - OpenCVE

Vendors	Products
Sentry	Symbolicator

Link	Providers
https://github.com/getsentry/self-hosted/releases/tag/23.12.1
https://github.com/getsentry/symbolicator/pull/1343
https://github.com/getsentry/symbolicator/releases/tag/23.12.1
https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-51451", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-19T15:19:39.615Z", "datePublished": "2023-12-22T21:01:21.824Z", "dateUpdated": "2024-08-02T22:32:10.044Z"}, "containers": {"cna": {"title": "SSRF in symbolicator via invalid protocol", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"}, {"name": "https://github.com/getsentry/symbolicator/pull/1343", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/symbolicator/pull/1343"}, {"name": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"}, {"name": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"}], "affected": [{"vendor": "getsentry", "product": "symbolicator", "versions": [{"version": ">= 0.3.3, < 23.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T21:01:21.824Z"}, "descriptions": [{"lang": "en", "value": "Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`."}], "source": {"advisory": "GHSA-ghg9-7m82-h96r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:32:10.044Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"}, {"name": "https://github.com/getsentry/symbolicator/pull/1343", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getsentry/symbolicator/pull/1343"}, {"name": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"}, {"name": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sentry:symbolicator:*:*:*:*:*:*:*:*", "matchCriteriaId": "90A1A7B2-A187-4B37-B3DD-301CC6441B55", "versionEndExcluding": "23.12.1", "versionStartIncluding": "0.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`."}, {"lang": "es", "value": "Symbolicator es un servicio utilizado en Sentry. A partir de la versi\u00f3n 0.3.3 de Symbolicator y antes de la versi\u00f3n 21.12.1, un atacante podr\u00eda hacer que Symbolicator enviara solicitudes HTTP GET a URL arbitrarias con direcciones IP internas mediante el uso de un protocolo no v\u00e1lido. Las respuestas a esas solicitudes podr\u00edan exponerse a trav\u00e9s de la API de Symbolicator. En las instancias de Sentry afectadas, los datos podr\u00edan quedar expuestos a trav\u00e9s de la API de Sentry y la interfaz de usuario si el atacante tiene una cuenta registrada. El problema se solucion\u00f3 en la versi\u00f3n 23.12.1 de Symbolicator, la versi\u00f3n 23.12.1 autohospedada de Sentry y ya se mitig\u00f3 en sentry.io el 18 de diciembre de 2023. Si no es posible actualizar, hay otras mitigaciones disponibles. Se puede deshabilitar el procesamiento de JS activando la opci\u00f3n \"Allow JavaScript Source Fetching\" en \"Organization Settings > Security & Privacy\" y/o deshabilitar todos los repositorios p\u00fablicos que no sean de confianza en \"Project Settings > Debug Files\". Alternativamente, si no se requieren JavaScript ni la simbolizaci\u00f3n nativa, desactive Symbolicator por completo en `config.yml`."}], "id": "CVE-2023-51451", "lastModified": "2024-01-03T20:52:26.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-22T21:15:09.297", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getsentry/symbolicator/pull/1343"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object