CVE-2023-46729

Published: Nov 10, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0.

Affected (1)

Products: Sentry: Sentry Software Development Kit

1 product

Sentry Software Development Kit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sentry Sentry Software Development Kit	From 7.26.0 to 7.77.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be

Source: security-advisories@github.com

Patch

https://github.com/getsentry/sentry-javascript/pull/9415

Source: security-advisories@github.com

Patch

https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9

Source: security-advisories@github.com

Vendor Advisory

https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/getsentry/sentry-javascript/pull/9415

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.