CVE-2023-49094
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| getsentry | symbolicator | >= 0.3.3, < 23.11.2 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6
- https://github.com/getsentry/symbolicator/pull/1332
- https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
- https://github.com/getsentry/symbolicator/releases/tag/23.11.2
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6
- https://github.com/getsentry/symbolicator/pull/1332
- https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a
- https://github.com/getsentry/symbolicator/releases/tag/23.11.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.