VYPR
Get started
← All advisories
High severityNVD Advisory· Published Aug 7, 2023· Updated Oct 4, 2024

Sentry vulnerable to privilege escalation via ApiTokensEndpoint

CVE-2023-39349

Description

Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on sentry.io. For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of sentry and self-hosted. There are no known workarounds.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sentryPyPI
>= 22.1.0, < 23.7.223.7.2

Affected products

1

Patches

1
fad12c1150d1

SessionNoAuthTokenAuthentication custom authenticator (#53850)

https://github.com/getsentry/sentryAlexander TarasovJul 31, 2023via ghsa
commit
3 files changed · +22 3
  • src/sentry/api/authentication.py+13 1 modified
    @@ -4,7 +4,11 @@
 from django.contrib.auth.models import AnonymousUser
 from django.utils.crypto import constant_time_compare
 from django.utils.encoding import force_str
-from rest_framework.authentication import BasicAuthentication, get_authorization_header
+from rest_framework.authentication import (
+    BasicAuthentication,
+    SessionAuthentication,
+    get_authorization_header,
+)
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from sentry_relay import UnpackError
@@ -157,6 +161,14 @@ def authenticate_credentials(self, userid, password, request=None):
         return (AnonymousUser(), key)
 
 
+class SessionNoAuthTokenAuthentication(SessionAuthentication):
+    def authenticate(self, request: Request):
+        auth = get_authorization_header(request)
+        if auth:
+            return None
+        return super().authenticate(request)
+
+
 class ClientIdSecretAuthentication(QuietBasicAuthentication):
     """
     Authenticates a Sentry Application using its Client ID and Secret
  • src/sentry/api/endpoints/api_tokens.py+2 2 modified
    @@ -2,12 +2,12 @@
 from django.utils.decorators import method_decorator
 from django.views.decorators.cache import never_cache
 from rest_framework import serializers
-from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 
 from sentry import analytics
+from sentry.api.authentication import SessionNoAuthTokenAuthentication
 from sentry.api.base import Endpoint, control_silo_endpoint
 from sentry.api.fields import MultipleChoiceField
 from sentry.api.serializers import serialize
@@ -22,7 +22,7 @@ class ApiTokenSerializer(serializers.Serializer):
 
 @control_silo_endpoint
 class ApiTokensEndpoint(Endpoint):
-    authentication_classes = (SessionAuthentication,)
+    authentication_classes = (SessionNoAuthTokenAuthentication,)
     permission_classes = (IsAuthenticated,)
 
     @method_decorator(never_cache)
  • tests/sentry/api/endpoints/test_api_tokens.py+7 0 modified
    @@ -31,6 +31,13 @@ def test_never_cache(self):
             == "max-age=0, no-cache, no-store, must-revalidate, private"
         )
 
+    def test_deny_token_access(self):
+        token = ApiToken.objects.create(user=self.user, scope_list=[])
+
+        url = reverse("sentry-api-0-api-tokens")
+        response = self.client.get(url, format="json", HTTP_AUTHORIZATION=f"Bearer {token.token}")
+        assert response.status_code == 403, response.content
+
 
 @control_silo_test(stable=True)
 class ApiTokensCreateTest(APITestCase):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.