SB2024091789 - Multiple vulnerabilities in sentry

Description

This security bulletin contains information about 2 vulnerabilities.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-45605)

The vulnerability allows a remote user to delete user issue alert notifications for arbitrary users.

The vulnerability exists due to authorization bypass through a user-controlled key in the user issue alert notification deletion endpoint when handling deletion requests with a known alert ID. A remote user can send a crafted deletion request to delete user issue alert notifications for arbitrary users.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-45606)

The vulnerability allows a remote attacker to mute alert rules in arbitrary organizations and projects.

The vulnerability exists due to authorization bypass through a user-controlled key in the alert rule mute request handling when processing a mute request with a known rule ID. A remote attacker can send a crafted mute request referencing another organization's or project's rule ID to mute alert rules in arbitrary organizations and projects.

The user does not need to be a member of the target organization or have permissions on the target project.

Remediation

Install update from vendor's website.

References

• https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j
• https://github.com/advisories/GHSA-54m3-95j9-v89j
• https://github.com/getsentry/sentry/security/advisories/GHSA-v345-w9f2-mpm5
• https://github.com/advisories/GHSA-v345-w9f2-mpm5