Skip to content

Sentry improperly authorizes deletion of user issue alert notifications

Moderate severity GitHub Reviewed Published Sep 17, 2024 in getsentry/sentry • Updated Sep 17, 2024

Package

pip sentry (pip)

Affected versions

>= 23.9.0, < 24.9.0

Patched versions

24.9.0

Description

Impact

An authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.

References

References

@geoffg-sentry geoffg-sentry published to getsentry/sentry Sep 17, 2024
Published to the GitHub Advisory Database Sep 17, 2024
Reviewed Sep 17, 2024
Published by the National Vulnerability Database Sep 17, 2024
Last updated Sep 17, 2024

Severity

Moderate

EPSS score

0.053%
(23rd percentile)

Weaknesses

CVE ID

CVE-2024-45605

GHSA ID

GHSA-54m3-95j9-v89j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.