GHSA-593m-55hh-j8gv

Suggest an improvement
Source
https://github.com/advisories/GHSA-593m-55hh-j8gv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-593m-55hh-j8gv/GHSA-593m-55hh-j8gv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-593m-55hh-j8gv
Published
2024-10-03T18:26:53Z
Modified
2024-10-04T16:32:02Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Sentry SDK Prototype Pollution gadget in JavaScript SDKs
Details

Impact

In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.

[!NOTE] This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.

Patches

The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version. Also, the fix was backported to SDK v7 in 7.119.1.

References

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-913"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-03T18:26:53Z"
}
References

Affected packages

npm / @sentry/browser

Package

Name
@sentry/browser
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/browser

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0-alpha.1
Fixed
8.33.0

npm / @sentry/browser

Package

Name
@sentry/browser
View open source insights on deps.dev
Purl
pkg:npm/%40sentry/browser

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.119.1