Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for Patch: CVE-2022-37601 in Sentry Version 24.8.0 #3501

Closed
riki-nitdgp opened this issue Dec 27, 2024 · 1 comment
Closed

Request for Patch: CVE-2022-37601 in Sentry Version 24.8.0 #3501

riki-nitdgp opened this issue Dec 27, 2024 · 1 comment

Comments

@riki-nitdgp
Copy link

riki-nitdgp commented Dec 27, 2024
edited
Loading

Description

  • I would like to report a potential security vulnerability, CVE-2022-37601, that may affect Sentry version 24.8.0. This vulnerability could pose a risk to the security and stability of systems using this version of Sentry.

CVE Details
CVE ID: CVE-2022-37601

Description: This vulnerability involves improper input validation, which could potentially allow an attacker to execute arbitrary code or cause a denial of service. (Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js.) webpack/loader-utils#212
Impact: Exploiting this vulnerability could lead to unauthorized access to sensitive information or service disruption.
Impact Analysis: https://security.snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105

References

Additional Information

  • We are currently in the process of upgrading our self-hosted Sentry instance from version 24.3.0 to 24.8.0. According to the Sentry documentation on self-hosted releases, version 24.8.0 is a mandatory upgrade step before proceeding to any later versions.

Request

Given the mandatory nature of upgrading to version 24.8.0 before moving to newer versions, I kindly request a patch to address CVE-2022-37601 in this version. This will ensure the security and stability of our systems during the upgrade process.

Your prompt attention to this matter would be greatly appreciated.

Suggested Remediation

  • Provide a patch or workaround specifically for Sentry version 24.8.0 to mitigate this vulnerability.
  • Alternatively, guidance on secure configurations or temporary measures to protect against this vulnerability would be appreciated.

Additional Information
I appreciate your attention to this matter and your ongoing efforts to maintain the security of Sentry. If further information is needed to assist with this request, please let me know.

Thank you for your support.
@getsantry
Copy link

getsantry bot commented Dec 27, 2024

Assigning to @getsentry/support for routing ⏲️

@dalnoki dalnoki transferred this issue from getsentry/sentry Jan 2, 2025
@getsantry getsantry bot moved this from Waiting for: Support to Waiting for: Product Owner in GitHub Issues with 👀 3 Jan 2, 2025
@aldy505 aldy505 closed this as completed Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
GitHub Issues with 👀 3
Archived in project
Self-hosted Sentry
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aldy505 @riki-nitdgp