Cleartext Password Exposure in Sentry Superuser Authentication
CVE-2024-32474

Currently unrated

Key Information:

Vendor: Sentry
Status: Sentry
Vendor: CVE Published:; 18 April 2024

What is CVE-2024-32474?

Sentry, an error tracking and performance monitoring platform, has a vulnerability that exposes superuser passwords as cleartext in logs during authentication. Specifically, prior to version 24.4.1, when a superuser logs in, their credentials are logged under the event: 'auth-index.validate_superuser'. If attackers gain access to these logs, they can utilize the leaked passwords to compromise the Sentry system with superuser privileges. Users are advised to upgrade to version 24.4.1 or later to mitigate this risk. Additionally, configuring logging to exclude 'INFO' level messages can help enhance security by minimizing sensitive data exposure.

References

https://github.com/getsentry/sentry/security/advisories/G...

https://github.com/getsentry/sentry/pull/66393

https://github.com/getsentry/sentry/pull/69148

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2024

CVE-2024-32474 Data

JSON