Vulnerabilities > CVE-2023-49094 - Server-Side Request Forgery (SSRF) vulnerability in Sentry Symbolicator

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

sentry

CWE-918

NVD

Published: 2023-11-30

Updated: 2023-12-12

Summary

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

Vulnerable Configurations

Part	Description	Count
Application	Sentry Sentry Symbolicator *	1

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6
https://github.com/getsentry/symbolicator/pull/1332
https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
https://github.com/getsentry/symbolicator/releases/tag/23.11.2