PT-2023-27002 · Sentry · Sentry

Erichasegawa

Published

2023-08-09

Updated

2023-08-16

CVE-2023-39531

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Sentry versions 10.0.0 through 23.7.2

Description The issue allows an attacker with sufficient client-side exploits to retrieve a valid access token for another user during the OAuth token exchange due to incorrect credential validation. The client ID must be known and the API application must have already been authorized on the targeted user account. Users should review applications authorized on their account and remove any that are no longer needed.

Recommendations Self-hosted installations should upgrade to version 23.7.2 or higher. Sentry SaaS customers do not need to take any action. As a temporary workaround, consider reviewing applications authorized on your account and remove any that are no longer needed.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2023-39531

GHSA-HGJ4-H2X3-RFX4

Affected Products

Sentry

PT-2023-27002 · Sentry · Sentry

CVE-2023-39531

Weakness Enumeration

Related Identifiers

Affected Products

References · 7