Request for Patch: CVE-2022-37601 in Sentry Version 24.8.0

[riki-nitdgp]

Description

• I would like to report a potential security vulnerability, CVE-2022-37601, that may affect Sentry version 24.8.0. This vulnerability could pose a risk to the security and stability of systems using this version of Sentry.

CVE Details
CVE ID: CVE-2022-37601

Description: This vulnerability involves improper input validation, which could potentially allow an attacker to execute arbitrary code or cause a denial of service. (Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js.) webpack/loader-utils#212
Impact: Exploiting this vulnerability could lead to unauthorized access to sensitive information or service disruption.
Impact Analysis: https://security.snyk.io/vuln/SNYK-JS-LOADERUTILS-3043105

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-37601
• Sentry Code: https://github.com/getsentry/sentry/blob/24.8.0/yarn.lock#L8906

Additional Information

• We are currently in the process of upgrading our self-hosted Sentry instance from version 24.3.0 to 24.8.0. According to the Sentry documentation on self-hosted releases, version 24.8.0 is a mandatory upgrade step before proceeding to any later versions.

Request

Given the mandatory nature of upgrading to version 24.8.0 before moving to newer versions, I kindly request a patch to address CVE-2022-37601 in this version. This will ensure the security and stability of our systems during the upgrade process.

Your prompt attention to this matter would be greatly appreciated.

Suggested Remediation

• Provide a patch or workaround specifically for Sentry version 24.8.0 to mitigate this vulnerability.
• Alternatively, guidance on secure configurations or temporary measures to protect against this vulnerability would be appreciated.

Additional Information
I appreciate your attention to this matter and your ongoing efforts to maintain the security of Sentry. If further information is needed to assist with this request, please let me know.

Thank you for your support.

[aldy505]

Pinging @getsentry/security for visibility.

Sadly we don't patch old version, as seen on the documentation. Does this issue only happen on 24.8.0? If it doesn't happen on newer versions, I'd rather close this issue, as most users are recommended to frequently upgrade their Sentry instance, at most in a monthly basis.

[riki-nitdgp]

Hi @aldy505 Thanks for the reply.
But as per the sentry doc (Hard Stop), I must need to take the upgrade 24.8.0 due to major migration changes.
Is there any way to skip 24.8.0 ??

[aldy505]

No, hard stop only means you will be at that version for at most 10 minutes, and then you can move up into the next hard stop (or just move into the latest version). During the upgrade, your Sentry instance shouldn't be available since your migration isn't finished yet. I don't think this is needed.