CVE-2023-39349

Name of the Vulnerable Software and Affected Versions Sentry versions 22.1.0 through 23.7.2

Description Sentry is an error tracking and performance monitoring platform. An attacker with access to a token with few or no scopes can query "/api/0/api-tokens/" for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on sentry.io.

Recommendations For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of sentry and self-hosted. As a temporary workaround, consider restricting access to the /api/0/api-tokens/ endpoint until a patch is applied.