SSRF Vulnerability in Sentry's Phabricator Integration Affects Performance Monitoring
CVE-2024-24829

5.3MEDIUM

Key Information:

Vendor: Sentry
Status: Sentry
Vendor: CVE Published:; 9 February 2024

What is CVE-2024-24829?

Sentry’s Phabricator integration, part of its error tracking and performance monitoring platform, is affected by a constrained Server-Side Request Forgery (SSRF) vulnerability. This issue allows an attacker with access to a Sentry instance to send POST HTTP requests to arbitrary URLs, including internal IP addresses, through unsanitized inputs. While the body payload is limited to a specific format, this vulnerability poses risks such as interaction with internal networks and local/remote port scanning. The issue has been addressed in Sentry self-hosted release 24.1.2, with immediate mitigation applied on the sentry.io platform on February 8. Users are strongly advised to upgrade, as no known workarounds exist.

References

https://github.com/getsentry/sentry/security/advisories/G...

https://github.com/getsentry/sentry/pull/64882

https://github.com/getsentry/self-hosted/releases/tag/24.1.2

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2024

CVE-2024-24829 Data

JSON