CVE-2024-45605 (GCVE-0-2024-45605)

Vulnerability from cvelistv5 – Published: 2024-09-17 19:44 – Updated: 2024-09-18 13:19
VLAI?
Summary
Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
getsentry sentry Affected: >=23.9.0, < 24.9.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45605",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T13:19:19.399502Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T13:19:27.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sentry",
          "vendor": "getsentry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=23.9.0, \u003c 24.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-17T19:44:50.664Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j"
        },
        {
          "name": "https://github.com/getsentry/sentry/pull/77093",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getsentry/sentry/pull/77093"
        },
        {
          "name": "https://github.com/getsentry/self-hosted",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getsentry/self-hosted"
        }
      ],
      "source": {
        "advisory": "GHSA-54m3-95j9-v89j",
        "discovery": "UNKNOWN"
      },
      "title": "Improper authorization on deletion of user issue alert notifications in sentry"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45605",
    "datePublished": "2024-09-17T19:44:50.664Z",
    "dateReserved": "2024-09-02T16:00:02.424Z",
    "dateUpdated": "2024-09-18T13:19:27.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"23.9.0\", \"versionEndExcluding\": \"24.9.0\", \"matchCriteriaId\": \"2E6FD59C-D86A-4163-9245-EC4000DC98FC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Sentry es una plataforma de monitoreo de rendimiento y seguimiento de errores que prioriza a los desarrolladores. Un usuario autenticado elimina las notificaciones de alerta de emisi\\u00f3n de usuario para usuarios arbitrarios a partir de una ID de alerta conocida. Se emiti\\u00f3 un parche para garantizar que las verificaciones de autorizaci\\u00f3n tengan el alcance adecuado en las solicitudes de eliminaci\\u00f3n de notificaciones de alerta de usuario. Los usuarios de Sentry SaaS no necesitan realizar ninguna acci\\u00f3n. Los usuarios de Sentry alojado en servidores propios deben actualizar a la versi\\u00f3n 24.9.0 o superior. No existen workarounds para esta vulnerabilidad.\"}]",
      "id": "CVE-2024-45605",
      "lastModified": "2024-09-26T19:14:00.873",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-09-17T20:15:05.120",
      "references": "[{\"url\": \"https://github.com/getsentry/self-hosted\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/getsentry/sentry/pull/77093\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\", \"Patch\"]}, {\"url\": \"https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45605\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-17T20:15:05.120\",\"lastModified\":\"2024-09-26T19:14:00.873\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Sentry es una plataforma de monitoreo de rendimiento y seguimiento de errores que prioriza a los desarrolladores. Un usuario autenticado elimina las notificaciones de alerta de emisi\u00f3n de usuario para usuarios arbitrarios a partir de una ID de alerta conocida. Se emiti\u00f3 un parche para garantizar que las verificaciones de autorizaci\u00f3n tengan el alcance adecuado en las solicitudes de eliminaci\u00f3n de notificaciones de alerta de usuario. Los usuarios de Sentry SaaS no necesitan realizar ninguna acci\u00f3n. Los usuarios de Sentry alojado en servidores propios deben actualizar a la versi\u00f3n 24.9.0 o superior. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"23.9.0\",\"versionEndExcluding\":\"24.9.0\",\"matchCriteriaId\":\"2E6FD59C-D86A-4163-9245-EC4000DC98FC\"}]}]}],\"references\":[{\"url\":\"https://github.com/getsentry/self-hosted\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/getsentry/sentry/pull/77093\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45605\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-18T13:19:19.399502Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-18T13:19:23.202Z\"}}], \"cna\": {\"title\": \"Improper authorization on deletion of user issue alert notifications in sentry\", \"source\": {\"advisory\": \"GHSA-54m3-95j9-v89j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"getsentry\", \"product\": \"sentry\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e=23.9.0, \u003c 24.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j\", \"name\": \"https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getsentry/sentry/pull/77093\", \"name\": \"https://github.com/getsentry/sentry/pull/77093\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getsentry/self-hosted\", \"name\": \"https://github.com/getsentry/self-hosted\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-17T19:44:50.664Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45605\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-18T13:19:27.312Z\", \"dateReserved\": \"2024-09-02T16:00:02.424Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-17T19:44:50.664Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.