Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for Patch: CVE-2022-37601 in Sentry Version 24.8.0 #3494

Open
riki-nitdgp opened this issue Dec 27, 2024 · 4 comments
Open

Request for Patch: CVE-2022-37601 in Sentry Version 24.8.0 #3494

riki-nitdgp opened this issue Dec 27, 2024 · 4 comments

Comments

@riki-nitdgp
Copy link

riki-nitdgp commented Dec 27, 2024

Description

  • I would like to report a potential security vulnerability, CVE-2022-37601, that may affect Sentry version 24.8.0. This vulnerability could pose a risk to the security and stability of systems using this version of Sentry.

CVE Details
CVE ID: CVE-2022-37601

Description: This vulnerability involves improper input validation, which could potentially allow an attacker to execute arbitrary code or cause a denial of service. (Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js.) webpack/loader-utils#212
Impact: Exploiting this vulnerability could lead to unauthorized access to sensitive information or service disruption.
Impact Analysis: https://security.snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105

References

Additional Information

  • We are currently in the process of upgrading our self-hosted Sentry instance from version 24.3.0 to 24.8.0. According to the Sentry documentation on self-hosted releases, version 24.8.0 is a mandatory upgrade step before proceeding to any later versions.

Request

Given the mandatory nature of upgrading to version 24.8.0 before moving to newer versions, I kindly request a patch to address CVE-2022-37601 in this version. This will ensure the security and stability of our systems during the upgrade process.

Your prompt attention to this matter would be greatly appreciated.

Suggested Remediation

  • Provide a patch or workaround specifically for Sentry version 24.8.0 to mitigate this vulnerability.
  • Alternatively, guidance on secure configurations or temporary measures to protect against this vulnerability would be appreciated.

Additional Information
I appreciate your attention to this matter and your ongoing efforts to maintain the security of Sentry. If further information is needed to assist with this request, please let me know.

Thank you for your support.

@aldy505
Copy link
Collaborator

aldy505 commented Dec 30, 2024

Pinging @getsentry/security for visibility.

Sadly we don't patch old version, as seen on the documentation. Does this issue only happen on 24.8.0? If it doesn't happen on newer versions, I'd rather close this issue, as most users are recommended to frequently upgrade their Sentry instance, at most in a monthly basis.

@riki-nitdgp
Copy link
Author

Hi @aldy505 Thanks for the reply.
But as per the sentry doc (Hard Stop), I must need to take the upgrade 24.8.0 due to major migration changes.
Is there any way to skip 24.8.0 ??

@getsantry getsantry bot moved this from Waiting for: Community to Waiting for: Product Owner in GitHub Issues with 👀 3 Dec 30, 2024
@aldy505
Copy link
Collaborator

aldy505 commented Dec 31, 2024

No, hard stop only means you will be at that version for at most 10 minutes, and then you can move up into the next hard stop (or just move into the latest version). During the upgrade, your Sentry instance shouldn't be available since your migration isn't finished yet. I don't think this is needed.

@getsantry getsantry bot moved this to Waiting for: Community in GitHub Issues with 👀 3 Dec 31, 2024
@aldy505 aldy505 marked this as a duplicate of #3501 Jan 3, 2025
@getsantry
Copy link

getsantry bot commented Jan 21, 2025

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!


"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@getsantry getsantry bot added the Stale label Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Waiting for: Community
Status: No status
Development

No branches or pull requests

2 participants