Sentry 2.2.0 GHSA Advisory Fix: Insecure Direct Object Reference in Bulk Actions & Global Source Map Scope

Vulnerability Overview In Sentry version 2.2.0, a security vulnerability exists that allows project members to access certain issue list bulk operations and issue event views of other projects via UUID. Additionally, source maps and debug file IDs are resolved globally, which could lead to events from one project uploading debug metadata from another project. Impact Scope Issue List Bulk Operations: Project members can access issue list bulk operations of other projects. Issue Event Views: Project members can access issue event views of other projects. Source Maps and Debug Files: Source maps and debug file IDs are resolved globally, which could lead to events from one project uploading debug metadata from another project. Remediation 1. Issue List Bulk Operations and Issue Event Views: - Fixed permission issues for issue list bulk operations and issue event views, ensuring that only authorized projects/issues can be accessed. - Related GHSA links: GHSA-g5vc-q7gc-v939, GHSA-vx2t-6m6h-9frf 2. Source Maps and Debug Files: - Fixed the global resolution issue for source map and debug file IDs, ensuring that newly uploaded files store project-specific information and lookups. - Related GHSA link: GHSA-5389-f7vh-ww8 Upgrade Recommendations Source map uploads should include meaningful source map slugs. Existing unscoped source maps will continue to work, but installers may choose to remove the fallback and re-upload source maps with project slugs. Code Block No POC code or exploit code is included on this page.

Goal Reached Thanks to every supporter — we hit 100%!

Sentry 2.2.0 GHSA Advisory Fix: Insecure Direct Object Reference in Bulk Actions & Global Source Map Scope

More from this source