CVE-2024-45605: 
Python vulnerability analysis and mitigation

Sentry, a developer-first error tracking and performance monitoring platform, was found to contain a vulnerability (CVE-2024-45605) where an authenticated user could delete user issue alert notifications for arbitrary users given a known alert ID. The vulnerability affects versions from 23.9.0 up to and including 24.8.0, with a patch released in version 24.9.0 (Sentry Advisory).

The vulnerability is classified as an Authorization Bypass Through User-Controlled Key (CWE-639). It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, no impact on confidentiality, high impact on integrity, and no impact on availability (NVD).

The vulnerability allows authenticated users to delete issue alert notifications belonging to other users, provided they know the alert ID. This represents a significant integrity breach in the platform's notification system, potentially disrupting other users' alert configurations (Sentry Advisory).

A patch has been released in Sentry version 24.9.0 that ensures authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action as the fix has been automatically applied. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher (Sentry Advisory).