CVE-2023-49094

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
sentrysymbolicator
0.3.3 ≤
𝑥
< 23.11.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
https://github.com/getsentry/symbolicator/pull/1332
https://github.com/getsentry/symbolicator/releases/tag/23.11.2
https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6
https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
https://github.com/getsentry/symbolicator/pull/1332
https://github.com/getsentry/symbolicator/releases/tag/23.11.2
https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6