VYPR
High severityNVD Advisory· Published Aug 7, 2023· Updated Oct 4, 2024

Sentry vulnerable to privilege escalation via ApiTokensEndpoint

CVE-2023-39349

Description

Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on sentry.io. For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of sentry and self-hosted. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sentryPyPI
>= 22.1.0, < 23.7.223.7.2

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.