GHSA-v345-w9f2-mpm5

Suggest an improvement
Source
https://github.com/advisories/GHSA-v345-w9f2-mpm5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-v345-w9f2-mpm5/GHSA-v345-w9f2-mpm5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v345-w9f2-mpm5
Aliases
Published
2024-09-17T17:55:38Z
Modified
2024-09-17T22:34:26.140261Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Sentry improperly authorizes muting of alert rules
Details

Impact

An authenticated user can mute alert rules from arbitrary organizations and projects given a known given rule ID. The user does not need to be a member of the organization or have permissions on the project.

In our review, we have identified no instances where alerts have been muted by unauthorized parties.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to mute alert rules. Authenticated users who do not have the necessary permissions are no longer able to mute alerts.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.

Affected Versions

The rule mute feature was generally available as of 23.6.0 but users with early access may have had the feature as of 23.4.0.

References

References

Affected packages

PyPI / sentry

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
23.4.0
Fixed
24.9.0

Affected versions

23.*

23.4.0
23.5.0
23.5.1
23.5.2
23.6.0
23.6.1
23.6.2
23.7.0
23.7.1