CVE-2023-49094

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-49094

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-49094.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-49094

Aliases

GHSA-6576-pr6j-h9c6

Published

2023-11-30T04:49:37Z

Modified

2025-10-30T20:23:15.646053Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Symbolicator Server Side Request Forgery vulnerability

Details

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/getsentry/symbolicator

Affected ranges

Type: GIT
Repo: https://github.com/getsentry/symbolicator
Events: Introduced

70834d59cbadda9c4596ad141f4e366f89d8a1c5

Fixed

adca339ecb50f823cf1de1abb44d47c404610260

Affected versions

0.*

0.3.3

0.3.4

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.7.0

23.*

23.10.0

23.10.1

23.11.0

23.11.1

23.4.0

23.5.0

23.5.1

23.5.2

23.6.0

23.6.1

23.6.2

23.7.0

23.7.1

23.7.2

23.8.0

23.9.0

23.9.1