7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45606

GHSA ID

GHSA-v345-w9f2-mpm5

EPSS Score

0.2844%

CWE

CWE-639

Published

9/17/2024

Updated

10/25/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45606

CVE-2024-45606: Sentry improperly authorizes muting of alert rules

Impact

An authenticated user can mute alert rules from arbitrary organizations and projects given a known given rule ID. The user does not need to be a member of the organization or have permissions on the project.

In our review, we have identified no instances where alerts have been muted by unauthorized parties.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to mute alert rules. Authenticated users who do not have the necessary permissions are no longer able to mute alerts.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.

Affected Versions

The rule mute feature was generally available as of 23.6.0 but users with early access may have had the feature as of 23.4.0.

Update

As of 2024-10-25 and after additional we've updated the Severity scoring to reduce Privileged Required from Low to None and Integrity from High to Low. Thanks again to @emanuelbeni for the correction on Privileges Required.

References

Prevent muting alerts

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45606

GHSA ID

GHSA-v345-w9f2-mpm5

EPSS Score

0.2844%

CWE

CWE-639

Published

9/17/2024

Updated

10/25/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sentry	pip	>= 23.4.0, < 24.9.0	24.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper authorization checks when fetching alert rules. The pre-patch code in BaseRuleSnoozeEndpoint used self.rule_model.objects.get(id=rule_id) which didn't validate the user's access to the project/organization associated with the rule. The patch added project-scoped queries (fetch_for_project and project filtering) and moved authorization checks to convert_args. The test changes showing 404 responses for unauthorized access confirm the authorization bypass was in rule retrieval. CWE-639 (User-Controlled Key authorization bypass) aligns with this pattern of missing access control on direct object references.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *ut**nti**t** us*r **n mut* *l*rt rul*s *rom *r*itr*ry or**niz*tions *n* proj**ts *iv*n * known *iv*n rul* I*. T** us*r *o*s not n*** to ** * m*m**r o* t** or**niz*tion or **v* p*rmissions on t** proj**t. In our r*vi*w, w* **v* i**nti

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion ****ks w**n **t**in* *l*rt rul*s. T** pr*-p*t** *o** in **s*Rul*Snooz**n*point us** s*l*.rul*_mo**l.o*j**ts.**t(i*=rul*_i*) w*i** *i*n't v*li**t* t** us*r's ****ss to t** proj**t/or**niz*tion *sso*i

7.1

Basic Information

Concerned about an active attack path?

CVE-2024-45606: Sentry improperly authorizes muting of alert rules

Impact

Patches

Affected Versions

Update

References

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI