cvelistv5 - cve-2023-36826

URL	Tags
security-advisories@github.com	https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9	Patch
security-advisories@github.com	https://github.com/getsentry/sentry/pull/49680	Patch
security-advisories@github.com	https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8	Vendor Advisory

▼	Vendor	Product
	getsentry	sentry

ghsa-m4hc-m2v6-hfw8

Vulnerability from github

Published

2023-07-25 17:19

Modified

2024-10-26 22:53

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
8.3 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Summary

Improper authorization on debug and artifact file downloads

Details

Impact

An authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.

References

Restrict file downloads to Project

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.21.0"
            },
            {
              "fixed": "23.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T17:19:48Z",
    "nvd_published_at": "2023-07-25T19:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project.\n\n### Patches\n\nA patch was issued to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them.\n\n**Sentry SaaS users do not need to take any action. [Self-Hosted Sentry](https://github.com/getsentry/self-hosted) users should upgrade to version 23.5.2 or higher.**\n\n### References\n\n- [Restrict file downloads to Project](https://github.com/getsentry/sentry/pull/49680)",
  "id": "GHSA-m4hc-m2v6-hfw8",
  "modified": "2024-10-26T22:53:43Z",
  "published": "2023-07-25T17:19:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36826"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/49680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2023-130.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper authorization on debug and artifact file downloads"
}

pysec-2023-130

Vulnerability from pysec

Published

2023-07-25 19:15

Modified

2023-08-02 16:31

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry",
        "purl": "pkg:pypi/sentry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "e932b15435bf36239431eaa3790a6bcfa47046a9"
            }
          ],
          "repo": "https://github.com/getsentry/sentry",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "8.21.0"
            },
            {
              "fixed": "23.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "10.0.0",
        "10.0.1",
        "20.10.1",
        "20.11.0",
        "20.11.1",
        "20.12.0",
        "20.12.1",
        "20.6.0",
        "20.7.0",
        "20.7.1",
        "20.7.2",
        "20.8.0",
        "21.1.0",
        "21.10.0",
        "21.11.0",
        "21.12.0",
        "21.2.0",
        "21.3.0",
        "21.3.1",
        "21.4.0",
        "21.4.1",
        "21.5.0",
        "21.5.1",
        "21.6.0",
        "21.6.1",
        "21.6.2",
        "21.6.3",
        "21.7.0",
        "21.8.0",
        "21.9.0",
        "22.1.0",
        "22.10.0",
        "22.11.0",
        "22.12.0",
        "22.2.0",
        "22.3.0",
        "22.4.0",
        "22.5.0",
        "22.6.0",
        "22.7.0",
        "22.8.0",
        "22.9.0",
        "23.1.0",
        "23.1.1",
        "23.2.0",
        "23.3.0",
        "23.3.1",
        "23.4.0",
        "23.5.0",
        "23.5.1",
        "8.21.0",
        "8.22.0",
        "9.0.0",
        "9.0.0rc1",
        "9.1.0",
        "9.1.1",
        "9.1.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36826",
    "GHSA-m4hc-m2v6-hfw8"
  ],
  "details": "Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.",
  "id": "PYSEC-2023-130",
  "modified": "2023-08-02T16:31:39.850029+00:00",
  "published": "2023-07-25T19:15:00+00:00",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8"
    },
    {
      "type": "FIX",
      "url": "https://github.com/getsentry/sentry/pull/49680"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2023-36826

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.

Aliases

CVE-2023-36826

Aliases

CVE-2023-36826

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-36826",
    "id": "GSD-2023-36826"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-36826"
      ],
      "details": "Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.",
      "id": "GSD-2023-36826",
      "modified": "2023-12-13T01:20:34.818879Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-36826",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "sentry",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 8.21.0, \u003c 23.5.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "getsentry"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-285",
                "lang": "eng",
                "value": "CWE-285: Improper Authorization"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8",
            "refsource": "MISC",
            "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8"
          },
          {
            "name": "https://github.com/getsentry/sentry/pull/49680",
            "refsource": "MISC",
            "url": "https://github.com/getsentry/sentry/pull/49680"
          },
          {
            "name": "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9",
            "refsource": "MISC",
            "url": "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-m4hc-m2v6-hfw8",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.21.0,\u003c23.5.2",
          "affected_versions": "All versions starting from 8.21.0 before 23.5.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-863",
            "CWE-937"
          ],
          "date": "2023-08-02",
          "description": "Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher.",
          "fixed_versions": [
            "23.5.2"
          ],
          "identifier": "CVE-2023-36826",
          "identifiers": [
            "CVE-2023-36826",
            "GHSA-m4hc-m2v6-hfw8"
          ],
          "not_impacted": "All versions before 8.21.0, all versions starting from 23.5.2",
          "package_slug": "pypi/sentry",
          "pubdate": "2023-07-25",
          "solution": "Upgrade to version 23.5.2 or above.",
          "title": "Incorrect Authorization",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-36826",
            "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9",
            "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8",
            "https://github.com/getsentry/sentry/pull/49680"
          ],
          "uuid": "d2b49afc-0c20-4263-af77-3c954215202e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "23.5.2",
                "versionStartIncluding": "8.21.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-36826"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9"
            },
            {
              "name": "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8"
            },
            {
              "name": "https://github.com/getsentry/sentry/pull/49680",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/getsentry/sentry/pull/49680"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-02T15:57Z",
      "publishedDate": "2023-07-25T19:15Z"
    }
  }
}

cve-2023-36826

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2023-36826

Vulnerability from cvelistv5

ghsa-m4hc-m2v6-hfw8

Vulnerability from github

Impact

Patches

References

pysec-2023-130

Vulnerability from pysec

gsd-2023-36826

Vulnerability from gsd

Tags

Sightings

Nomenclature