PyPI package
sentry
pkg:pypi/sentry
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42354 | Cri | 9.1 | >= 21.12.0, < 26.4.1 | 26.4.1 | May 8, 2026 | Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SA | |
| CVE-2026-27197 | — | >= 21.12.0 | — | Feb 21, 2026 | Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another | ||
| CVE-2025-22146 | Cri | 9.1 | >= 21.12.0, < 25.1.0 | 25.1.0 | Jan 15, 2025 | Sentry is a developer-first error tracking and performance monitoring tool. A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user accou | |
| CVE-2024-53253 | — | >= 24.11.0, < 24.11.1 | 24.11.1 | Nov 22, 2024 | Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integra | ||
| CVE-2024-45605 | — | >= 23.9.0, < 24.9.0 | 24.9.0 | Sep 17, 2024 | Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete u | ||
| CVE-2024-45606 | — | >= 23.4.0, < 24.9.0 | 24.9.0 | Sep 17, 2024 | Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user can mute alert rules from arbitrary organizations and projects with a know rule ID. The user does not need to be a member of the organization or have permissions on the project. | ||
| CVE-2024-41656 | — | >= 10.0.0, < 24.7.1 | 24.7.1 | Jul 23, 2024 | Sentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 24.7.1, an unsanitized payload sent by an Integration platform integration allows storing arbitrary HTML tags on the Sentry side with the subsequent rendering them on | ||
| CVE-2024-35196 | Low | 2.0 | >= 24.3.0, < 24.5.0 | 24.5.0 | May 31, 2024 | Sentry is a developer-first error tracking and performance monitoring platform. Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this veri | |
| CVE-2024-32474 | — | >= 24.3.0, < 24.4.1 | 24.4.1 | Apr 18, 2024 | Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to | ||
| CVE-2023-39531 | — | >= 10.0.0, < 23.7.2 | 23.7.2 | Aug 9, 2023 | Sentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 23.7.2, an attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credenti | ||
| CVE-2023-39349 | — | >= 22.1.0, < 23.7.2 | 23.7.2 | Aug 7, 2023 | Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with great | ||
| CVE-2023-36826 | — | >= 8.21.0, < 23.5.2 | 23.5.2 | Jul 25, 2023 | Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a | ||
| CVE-2023-36829 | — | >= 23.6.0, < 23.6.2 | 23.6.2 | Jul 6, 2023 | Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` | ||
| CVE-2022-23485 | — | >= 20.6.0, < 22.11.0 | 22.11.0 | Dec 10, 2022 | Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organiza |
- affected >= 21.12.0, < 26.4.1fixed 26.4.1
Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SA
- CVE-2026-27197Feb 21, 2026affected >= 21.12.0
Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another
- affected >= 21.12.0, < 25.1.0fixed 25.1.0
Sentry is a developer-first error tracking and performance monitoring tool. A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user accou
- CVE-2024-53253Nov 22, 2024affected >= 24.11.0, < 24.11.1fixed 24.11.1
Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integra
- CVE-2024-45605Sep 17, 2024affected >= 23.9.0, < 24.9.0fixed 24.9.0
Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete u
- CVE-2024-45606Sep 17, 2024affected >= 23.4.0, < 24.9.0fixed 24.9.0
Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user can mute alert rules from arbitrary organizations and projects with a know rule ID. The user does not need to be a member of the organization or have permissions on the project.
- CVE-2024-41656Jul 23, 2024affected >= 10.0.0, < 24.7.1fixed 24.7.1
Sentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 24.7.1, an unsanitized payload sent by an Integration platform integration allows storing arbitrary HTML tags on the Sentry side with the subsequent rendering them on
- affected >= 24.3.0, < 24.5.0fixed 24.5.0
Sentry is a developer-first error tracking and performance monitoring platform. Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this veri
- CVE-2024-32474Apr 18, 2024affected >= 24.3.0, < 24.4.1fixed 24.4.1
Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to
- CVE-2023-39531Aug 9, 2023affected >= 10.0.0, < 23.7.2fixed 23.7.2
Sentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 23.7.2, an attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credenti
- CVE-2023-39349Aug 7, 2023affected >= 22.1.0, < 23.7.2fixed 23.7.2
Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with great
- CVE-2023-36826Jul 25, 2023affected >= 8.21.0, < 23.5.2fixed 23.5.2
Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a
- CVE-2023-36829Jul 6, 2023affected >= 23.6.0, < 23.6.2fixed 23.6.2
Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname`
- CVE-2022-23485Dec 10, 2022affected >= 20.6.0, < 22.11.0fixed 22.11.0
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organiza