Sentry improperly authorizes deletion of user issue alert notifications
Description
Published to the GitHub Advisory Database
Sep 17, 2024
Reviewed
Sep 17, 2024
Published by the National Vulnerability Database
Sep 17, 2024
Last updated
Nov 18, 2024
Impact
An authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID.
Patches
A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.
Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.
References
References