CVE-2023-50249 - OpenCVE

Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Sentry	Astro

Configuration 1 [-]

cpe:2.3:a:sentry:astro:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb	Patch
https://github.com/getsentry/sentry-javascript/pull/9815	Patch
https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-20T13:53:00.512Z

Updated: 2023-12-20T13:53:00.512Z

Reserved: 2023-12-05T20:42:59.377Z

Link: CVE-2023-50249

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-20T14:15:21.350

Modified: 2023-12-28T20:11:56.530

Link: CVE-2023-50249

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-50249", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-05T20:42:59.377Z", "datePublished": "2023-12-20T13:53:00.512Z", "dateUpdated": "2023-12-20T13:53:00.512Z"}, "containers": {"cna": {"title": "Sentry's Astro SDK vulnerable to ReDoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"}, {"name": "https://github.com/getsentry/sentry-javascript/pull/9815", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry-javascript/pull/9815"}, {"name": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"}], "affected": [{"vendor": "getsentry", "product": "sentry-javascript", "versions": [{"version": ">= 7.78.0, < 7.87.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-20T13:53:00.512Z"}, "descriptions": [{"lang": "en", "value": "Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0."}], "source": {"advisory": "GHSA-x3v3-8xg8-8v72", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sentry:astro:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AAA3C0C0-98ED-4031-91A3-40B43CFD8370", "versionEndExcluding": "7.87.0", "versionStartIncluding": "7.78.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0."}, {"lang": "es", "value": "Sentry-Javascript es el SDK oficial de Sentry para JavaScript. Se ha identificado una vulnerabilidad ReDoS (Denegaci\u00f3n de servicio de expresi\u00f3n regular) en Astro SDK 7.78.0-7.86.0 de Sentry. Bajo ciertas condiciones, esta vulnerabilidad permite que un atacante provoque tiempos de c\u00e1lculo excesivos en el servidor, lo que lleva a una denegaci\u00f3n de servicio (DoS). Esta vulnerabilidad ha sido parcheada en sentry/astro versi\u00f3n 7.87.0."}], "id": "CVE-2023-50249", "lastModified": "2023-12-28T20:11:56.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-20T14:15:21.350", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getsentry/sentry-javascript/pull/9815"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}