Bugsink Project-Specific Metadata Lookup Vulnerability in Sourcemaps and Debug Files

A vulnerability in Bugsink, a self-hosted error tracking tool, prior to version 2.2.0, allowed for the improper resolution of sourcemaps and debug files. The issue arose because the lookup was not scoped to the project that owned the uploaded metadata. This flaw enabled an authenticated user with access to one project to cause event processing in that project to utilize sourcemap or debug-file metadata from another project within the same Bugsink instance, provided that the same debug ID was referenced. The vulnerability could lead to the unintentional disclosure of source context or symbolication-derived information from another project.

Impact

Exploitation of this vulnerability could result in the unauthorized use of sourcemap and debug-file metadata from one project in another project, potentially disclosing sensitive debugging information across projects.

Remediation

Users can upgrade to Bugsink version 2.2.0 or later to address this vulnerability. After upgrading, it is recommended to upload sourcemaps and debug files with the appropriate project information. To remove legacy projectless sourcemap metadata immediately after upgrading, the command 'bugsink-manage delete_legacy_sourcemaps' can be used.