CVE-2021-47935

Sentry 8.2.0 Remote Code Execution via Pickle Deserialization

CVSS 8.7 HIGHEPSS 0.9%CWE-94

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Sentry · Sentry

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/50318unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://sentry.io/welcome/https://www.exploit-db.com/exploits/50318 https://www.vulncheck.com/advisories/sentry-remote-code-execution-via-pickle-deserialization