CVE-2023-49094

Name of the Vulnerable Software and Affected Versions Symbolicator versions prior to 23.11.2

Description The issue allows an attacker to make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on a Sentry instance.

Recommendations For versions prior to 23.11.2, update to version 23.11.2 to resolve the issue. As a temporary workaround, consider restricting access to the Symbolicator service to minimize the risk of exploitation. Avoid using specially crafted HTTP endpoints in the affected Symbolicator instance until the issue is resolved.