CVE-2023-36826: Improper authorization on debug and artifact file downloads
(updated )
An authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project.
References
- github.com/advisories/GHSA-m4hc-m2v6-hfw8
- github.com/getsentry/sentry
- github.com/getsentry/sentry/commit/e932b15435bf36239431eaa3790a6bcfa47046a9
- github.com/getsentry/sentry/pull/49680
- github.com/getsentry/sentry/security/advisories/GHSA-m4hc-m2v6-hfw8
- github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2023-130.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-36826
Detect and mitigate CVE-2023-36826 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →