CVE-2023-49094

medium

Description

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

References

https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6

https://github.com/getsentry/symbolicator/releases/tag/23.11.2

https://github.com/getsentry/symbolicator/pull/1332

https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a

Details

Source: Mitre, NVD

Published: 2023-11-30

Updated: 2023-12-12

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00113