CVE-2024-24829: 
NixOS vulnerability analysis and mitigation

Sentry's integration platform, specifically the Phabricator integration (maintained by Sentry) with version <=24.1.1, contains a constrained Server-Side Request Forgery (SSRF) vulnerability. The vulnerability was discovered and disclosed on February 8, 2024, affecting Sentry versions from 9.1.0 to 24.1.2. Sentry is an error tracking and performance monitoring platform that allows external services to interact with it through its integration platform (Sentry Advisory).

The vulnerability allows an attacker to make Sentry send POST HTTP requests to arbitrary URLs, including internal IP addresses, by providing unsanitized input to the Phabricator integration. While the body payload is constrained to a specific format, the vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

If exploited, the vulnerability enables attackers with access to a Sentry instance to interact with internal networks and scan local/remote ports. This could potentially lead to unauthorized access to internal resources and network reconnaissance activities (Sentry Advisory).

The vulnerability has been fixed in Sentry self-hosted release 24.1.2, and was mitigated on sentry.io on February 8, 2024. Users are advised to upgrade to version 24.1.2 or higher. There are no known workarounds for this vulnerability (Release Notes).