Authorization Vulnerability in Sentry Error Tracking Platform
CVE-2024-45606

4.3MEDIUM

Key Information:

Vendor: Sentry
Status: Sentry
Vendor: CVE Published:; 17 September 2024

What is CVE-2024-45606?

An authenticated user in Sentry, a developer-first error tracking and performance monitoring platform, could potentially mute alert rules across various organizations and projects using a known rule ID, regardless of their membership or permission status. Although no instances of alerts being muted by unauthorized parties have been documented, this flaw raised significant security concerns. To address this issue, an update was released to enforce proper authorization checks for requests aimed at muting alert rules. Users without the requisite permissions will be unable to mute alerts. While Sentry SaaS users are unaffected and require no action, self-hosted Sentry users must upgrade to version 24.9.0 or later to mitigate this risk.

References

https://github.com/getsentry/sentry/security/advisories/G...

https://github.com/getsentry/sentry/pull/77016

https://github.com/getsentry/self-hosted

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2024

CVE-2024-45606 Data

JSON