Sentry vulnerable to improper authorization on debug and artifact file downloads
CVE-2023-36826

7.7HIGH

Key Information:

Vendor

Getsentry

Status
Sentry
Vendor
CVE Published:
25 July 2023

What is CVE-2023-36826?

In Sentry, a leading error tracking and performance monitoring platform, an issue was identified that allows an authenticated user to download debug or artifact bundles from any organization and project by using a known bundle ID. This vulnerability poses a risk as neither membership in the organization nor specific project permissions are required, potentially exposing sensitive information. The issue has been addressed in version 23.5.2, which enhances authorization checks to prevent unauthorized access. Users of Sentry's SaaS offerings are automatically protected, while self-hosted users should upgrade promptly to maintain security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

sentry >= 8.21.0, < 23.5.2

References

https://github.com/getsentry/sentry/security/advisories/G...
x_refsource_CONFIRM
https://github.com/getsentry/sentry/pull/49680
x_refsource_MISC
https://github.com/getsentry/sentry/commit/e932b15435bf36...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.