Search criteria
6 vulnerabilities found for symbolicator by sentry
FKIE_CVE-2023-51451
Vulnerability from fkie_nvd - Published: 2023-12-22 21:15 - Updated: 2024-11-21 08:38
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sentry | symbolicator | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sentry:symbolicator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90A1A7B2-A187-4B37-B3DD-301CC6441B55",
"versionEndExcluding": "23.12.1",
"versionStartIncluding": "0.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator\u0027s API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings \u003e Security \u0026 Privacy` and/or disable all untrusted public repositories under `Project Settings \u003e Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`."
},
{
"lang": "es",
"value": "Symbolicator es un servicio utilizado en Sentry. A partir de la versi\u00f3n 0.3.3 de Symbolicator y antes de la versi\u00f3n 21.12.1, un atacante podr\u00eda hacer que Symbolicator enviara solicitudes HTTP GET a URL arbitrarias con direcciones IP internas mediante el uso de un protocolo no v\u00e1lido. Las respuestas a esas solicitudes podr\u00edan exponerse a trav\u00e9s de la API de Symbolicator. En las instancias de Sentry afectadas, los datos podr\u00edan quedar expuestos a trav\u00e9s de la API de Sentry y la interfaz de usuario si el atacante tiene una cuenta registrada. El problema se solucion\u00f3 en la versi\u00f3n 23.12.1 de Symbolicator, la versi\u00f3n 23.12.1 autohospedada de Sentry y ya se mitig\u00f3 en sentry.io el 18 de diciembre de 2023. Si no es posible actualizar, hay otras mitigaciones disponibles. Se puede deshabilitar el procesamiento de JS activando la opci\u00f3n \"Allow JavaScript Source Fetching\" en \"Organization Settings \u0026gt; Security \u0026amp; Privacy\" y/o deshabilitar todos los repositorios p\u00fablicos que no sean de confianza en \"Project Settings \u0026gt; Debug Files\". Alternativamente, si no se requieren JavaScript ni la simbolizaci\u00f3n nativa, desactive Symbolicator por completo en `config.yml`."
}
],
"id": "CVE-2023-51451",
"lastModified": "2024-11-21T08:38:08.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-22T21:15:09.297",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/getsentry/symbolicator/pull/1343"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/getsentry/symbolicator/pull/1343"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-49094
Vulnerability from fkie_nvd - Published: 2023-11-30 05:15 - Updated: 2024-11-21 08:32
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sentry | symbolicator | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sentry:symbolicator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A146A56-9BF7-4D5A-B10B-791725ACC7F0",
"versionEndExcluding": "23.11.2",
"versionStartIncluding": "0.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.\n"
},
{
"lang": "es",
"value": "Symbolicator es un servicio de simbolizaci\u00f3n para seguimientos de pila y minivolcados nativos con soporte de servidor de s\u00edmbolos. Un atacante podr\u00eda hacer que Symbolicator env\u00ede solicitudes GET HTTP arbitrarias a direcciones IP internas mediante el uso de un endpoint HTTP especialmente manipulado. La respuesta podr\u00eda reflejarse al atacante si tiene una cuenta en la instancia Sentry. El problema se solucion\u00f3 en la versi\u00f3n 23.11.2."
}
],
"id": "CVE-2023-49094",
"lastModified": "2024-11-21T08:32:48.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-30T05:15:09.123",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/pull/1332"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/pull/1332"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2023-51451 (GCVE-0-2023-51451)
Vulnerability from cvelistv5 – Published: 2023-12-22 21:01 – Updated: 2024-08-02 22:32
VLAI?
Title
SSRF in symbolicator via invalid protocol
Summary
Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getsentry | symbolicator |
Affected:
>= 0.3.3, < 23.12.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:10.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1343",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/pull/1343"
},
{
"name": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "symbolicator",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.3, \u003c 23.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator\u0027s API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings \u003e Security \u0026 Privacy` and/or disable all untrusted public repositories under `Project Settings \u003e Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T21:01:21.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1343",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/pull/1343"
},
{
"name": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"
}
],
"source": {
"advisory": "GHSA-ghg9-7m82-h96r",
"discovery": "UNKNOWN"
},
"title": "SSRF in symbolicator via invalid protocol"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51451",
"datePublished": "2023-12-22T21:01:21.824Z",
"dateReserved": "2023-12-19T15:19:39.615Z",
"dateUpdated": "2024-08-02T22:32:10.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49094 (GCVE-0-2023-49094)
Vulnerability from cvelistv5 – Published: 2023-11-30 04:49 – Updated: 2025-06-05 13:31
VLAI?
Title
Symbolicator Server Side Request Forgery vulnerability
Summary
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getsentry | symbolicator |
Affected:
>= 0.3.3, < 23.11.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1332",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/pull/1332"
},
{
"name": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T13:28:21.041454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T13:31:36.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symbolicator",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.3, \u003c 23.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T04:49:37.404Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1332",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/pull/1332"
},
{
"name": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2"
}
],
"source": {
"advisory": "GHSA-6576-pr6j-h9c6",
"discovery": "UNKNOWN"
},
"title": "Symbolicator Server Side Request Forgery vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49094",
"datePublished": "2023-11-30T04:49:37.404Z",
"dateReserved": "2023-11-21T18:57:30.429Z",
"dateUpdated": "2025-06-05T13:31:36.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51451 (GCVE-0-2023-51451)
Vulnerability from nvd – Published: 2023-12-22 21:01 – Updated: 2024-08-02 22:32
VLAI?
Title
SSRF in symbolicator via invalid protocol
Summary
Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator's API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings > Security & Privacy` and/or disable all untrusted public repositories under `Project Settings > Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getsentry | symbolicator |
Affected:
>= 0.3.3, < 23.12.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:10.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1343",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/pull/1343"
},
{
"name": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "symbolicator",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.3, \u003c 23.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via Symbolicator\u0027s API. In affected Sentry instances, the data could be exposed through the Sentry API and user interface if the attacker has a registered account. The issue has been fixed in Symbolicator release 23.12.1, Sentry self-hosted release 23.12.1, and has already been mitigated on sentry.io on December 18, 2023. If updating is not possible, some other mitigations are available. One may disable JS processing by toggling the option `Allow JavaScript Source Fetching` in `Organization Settings \u003e Security \u0026 Privacy` and/or disable all untrusted public repositories under `Project Settings \u003e Debug Files`. Alternatively, if JavaScript and native symbolication are not required, disable Symbolicator completely in `config.yml`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T21:01:21.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-ghg9-7m82-h96r"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1343",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/pull/1343"
},
{
"name": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/self-hosted/releases/tag/23.12.1"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.12.1"
}
],
"source": {
"advisory": "GHSA-ghg9-7m82-h96r",
"discovery": "UNKNOWN"
},
"title": "SSRF in symbolicator via invalid protocol"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51451",
"datePublished": "2023-12-22T21:01:21.824Z",
"dateReserved": "2023-12-19T15:19:39.615Z",
"dateUpdated": "2024-08-02T22:32:10.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49094 (GCVE-0-2023-49094)
Vulnerability from nvd – Published: 2023-11-30 04:49 – Updated: 2025-06-05 13:31
VLAI?
Title
Symbolicator Server Side Request Forgery vulnerability
Summary
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getsentry | symbolicator |
Affected:
>= 0.3.3, < 23.11.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1332",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/pull/1332"
},
{
"name": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T13:28:21.041454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T13:31:36.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "symbolicator",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.3, \u003c 23.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T04:49:37.404Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/symbolicator/security/advisories/GHSA-6576-pr6j-h9c6"
},
{
"name": "https://github.com/getsentry/symbolicator/pull/1332",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/pull/1332"
},
{
"name": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/commit/9db2fb9197dd200d62aacebd8efef4df7678865a"
},
{
"name": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/symbolicator/releases/tag/23.11.2"
}
],
"source": {
"advisory": "GHSA-6576-pr6j-h9c6",
"discovery": "UNKNOWN"
},
"title": "Symbolicator Server Side Request Forgery vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49094",
"datePublished": "2023-11-30T04:49:37.404Z",
"dateReserved": "2023-11-21T18:57:30.429Z",
"dateUpdated": "2025-06-05T13:31:36.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}