Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01OTNtLTU1aGgtajhnds4AA_74
Sentry SDK Prototype Pollution gadget in JavaScript SDKs
Impact
In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
[!NOTE]
This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version.
Also, the fix was backported to SDK v7 in 7.119.1.
References Permalink: https://github.com/advisories/GHSA-593m-55hh-j8gv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OTNtLTU1aGgtajhnds4AA_74
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 18 days ago
Updated: 17 days ago
CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-593m-55hh-j8gv
References:
- https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-593m-55hh-j8gv
- https://github.com/getsentry/sentry-javascript/pull/13838
- https://github.com/getsentry/sentry-javascript/commit/35bdc87dee3498794e34c1ad35dd9927950c8766
- https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0
- https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1
- https://github.com/advisories/GHSA-593m-55hh-j8gv
Blast Radius: 24.4
Affected Packages
npm:@sentry/browser
Dependent packages: 1,022Dependent repositories: 22,584
Downloads: 24,275,153 last month
Affected Version Ranges: < 7.119.1, >= 8.0.0-alpha.1, < 8.33.0
Fixed in: 7.119.1, 8.33.0
All affected versions: 0.1.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.2, 5.4.3, 5.5.0, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.10.1, 5.10.2, 5.11.0, 5.11.1, 5.11.2, 5.12.0, 5.12.1, 5.12.4, 5.12.5, 5.13.0, 5.13.2, 5.14.0, 5.14.1, 5.14.2, 5.15.0, 5.15.1, 5.15.2, 5.15.3, 5.15.4, 5.15.5, 5.16.0, 5.16.1, 5.17.0, 5.18.0, 5.18.1, 5.19.0, 5.19.1, 5.19.2, 5.20.0, 5.20.1, 5.21.0, 5.21.1, 5.21.2, 5.21.3, 5.21.4, 5.22.0, 5.22.1, 5.22.2, 5.22.3, 5.23.0, 5.24.0, 5.24.1, 5.24.2, 5.25.0, 5.26.0, 5.27.0, 5.27.1, 5.27.2, 5.27.3, 5.27.4, 5.27.5, 5.27.6, 5.28.0, 5.29.0, 5.29.1, 5.29.2, 5.30.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.14.0, 6.14.1, 6.14.2, 6.14.3, 6.15.0, 6.16.0, 6.16.1, 6.17.0, 6.17.1, 6.17.2, 6.17.3, 6.17.4, 6.17.5, 6.17.6, 6.17.7, 6.17.8, 6.17.9, 6.18.0, 6.18.1, 6.18.2, 6.19.0, 6.19.1, 6.19.2, 6.19.3, 6.19.4, 6.19.5, 6.19.6, 6.19.7, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0, 7.8.1, 7.9.0, 7.10.0, 7.11.0, 7.11.1, 7.12.0, 7.12.1, 7.13.0, 7.14.0, 7.14.1, 7.14.2, 7.15.0, 7.16.0, 7.17.0, 7.17.1, 7.17.2, 7.17.3, 7.17.4, 7.18.0, 7.19.0, 7.20.0, 7.20.1, 7.21.0, 7.21.1, 7.22.0, 7.23.0, 7.24.0, 7.24.1, 7.24.2, 7.25.0, 7.26.0, 7.27.0, 7.28.0, 7.28.1, 7.29.0, 7.30.0, 7.31.0, 7.31.1, 7.32.0, 7.32.1, 7.33.0, 7.34.0, 7.35.0, 7.36.0, 7.37.0, 7.37.1, 7.37.2, 7.38.0, 7.39.0, 7.40.0, 7.41.0, 7.42.0, 7.43.0, 7.44.0, 7.44.1, 7.44.2, 7.45.0, 7.46.0, 7.47.0, 7.48.0, 7.49.0, 7.50.0, 7.51.0, 7.51.1, 7.51.2, 7.52.0, 7.52.1, 7.53.0, 7.53.1, 7.54.0, 7.55.0, 7.55.1, 7.55.2, 7.56.0, 7.57.0, 7.58.0, 7.58.1, 7.59.1, 7.59.2, 7.59.3, 7.60.0, 7.60.1, 7.61.0, 7.61.1, 7.62.0, 7.63.0, 7.64.0, 7.65.0, 7.66.0, 7.67.0, 7.68.0, 7.69.0, 7.70.0, 7.71.0, 7.72.0, 7.73.0, 7.74.0, 7.74.1, 7.75.0, 7.75.1, 7.76.0, 7.77.0, 7.78.0, 7.79.0, 7.80.0, 7.80.1, 7.81.0, 7.81.1, 7.82.0, 7.83.0, 7.84.0, 7.85.0, 7.86.0, 7.87.0, 7.88.0, 7.89.0, 7.90.0, 7.91.0, 7.92.0, 7.93.0, 7.94.1, 7.95.0, 7.96.0, 7.97.0, 7.98.0, 7.99.0, 7.100.0, 7.100.1, 7.101.0, 7.101.1, 7.102.0, 7.102.1, 7.103.0, 7.104.0, 7.105.0, 7.106.0, 7.106.1, 7.107.0, 7.108.0, 7.109.0, 7.110.0, 7.110.1, 7.111.0, 7.112.0, 7.112.1, 7.112.2, 7.113.0, 7.114.0, 7.115.0, 7.116.0, 7.117.0, 7.118.0, 7.119.0, 8.0.0, 8.0.0-alpha.1, 8.0.0-alpha.2, 8.0.0-alpha.3, 8.0.0-alpha.4, 8.0.0-alpha.5, 8.0.0-alpha.7, 8.0.0-alpha.8, 8.0.0-alpha.9, 8.0.0-beta.1, 8.0.0-beta.2, 8.0.0-beta.3, 8.0.0-beta.4, 8.0.0-beta.5, 8.0.0-beta.6, 8.0.0-rc.0, 8.0.0-rc.1, 8.0.0-rc.2, 8.0.0-rc.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.20.0, 8.21.0, 8.22.0, 8.23.0, 8.24.0, 8.25.0, 8.26.0, 8.27.0, 8.28.0, 8.29.0, 8.30.0
All unaffected versions: