Bugsink Cross-Project Authorization Vulnerability Allowing Event Data Exposure

A project-boundary authorization vulnerability has been identified in Bugsink, a self-hosted error tracking tool, prior to version 2.2.0. The issue arises because the issue event pages accept a direct event identifier from the URL and, in affected versions, retrieve that event without ensuring it belongs to the issue specified in the URL. This flaw allows a logged-in user with access to one project to view event data from another project through an issue they can access. The exposed event data includes stack traces, details, and breadcrumbs. The vulnerability requires authentication and prior knowledge of a valid event UUID, but is considered low severity due to the lack of an event enumeration path and the common practice of self-hosting Bugsink within a single trust domain.

Impact

Exploitation of this vulnerability leads to unauthorized cross-project event data exposure, allowing a user to access event information from other projects they should not have visibility into.

Remediation

Users can upgrade to Bugsink version 2.2.0 or later, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the Bugsink GitHub Releases page.