Sentry vulnerable to privilege escalation via ApiTokensEndpoint
CVE-2023-39349

8.1HIGH

Key Information:

Vendor

Getsentry

Status
Sentry
Vendor
CVE Published:
7 August 2023

What is CVE-2023-39349?

Sentry, a prominent error tracking and performance monitoring platform, has a vulnerability that allows attackers with access to limited or no-scoped tokens to query the API for a comprehensive list of all user-created tokens. This includes access to more privileged tokens, which could be utilized in subsequent API requests. This issue, which has not been reported as exploited on the Sentry cloud service, affects all versions from 22.1.0 up to 23.7.2. Users are strongly recommended to rotate their auth tokens and upgrade to version 23.7.2 or later to mitigate this security risk. No known workarounds exist for this vulnerability.

Affected Version(s)

sentry >= 22.1.0, < 23.7.2

References

https://github.com/getsentry/sentry/security/advisories/G...
x_refsource_CONFIRM
https://github.com/getsentry/sentry/pull/53850
x_refsource_MISC
https://github.com/getsentry/sentry/commit/fad12c1150d113...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.