CVE-2021-47935: Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter
(updated )
Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges.
References
- github.com/advisories/GHSA-444r-2whx-3685
- github.com/getsentry/sentry/commit/19a0ba63d9ffb6aff79c7b78e2fa951a94edd61a
- github.com/getsentry/sentry/commit/1f6090dc64b237c3da22bf35a5863a7136ac4669
- github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2026-131.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-47935
- sentry.io/welcome
- www.exploit-db.com/exploits/50318
- www.vulncheck.com/advisories/sentry-remote-code-execution-via-pickle-deserialization
Code Behaviors & Features
Detect and mitigate CVE-2021-47935 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →