CVE-2024-35196

Name of the Vulnerable Software and Affected Versions Sentry versions prior to 24.5.0

Description Sentry's Slack integration incorrectly records the incoming request body in logs, which can contain sensitive information, including the deprecated Slack verification token. This token can be used by an attacker to forge requests and act as the Slack integration under specific configurations. The request body is leaked in log entries matching event == "slack.*" && name == "sentry.integrations.slack" && request data == *, with the deprecated slack verification token found in the request data.token key.

Recommendations For self-hosted users, upgrade to version 24.5.0 or higher, rotate the Slack verification token, and use the Slack Signing Secret instead of the verification token. As a temporary workaround, set the slack.signing-secret instead of slack.verification-token to prevent the use of the verification token for authentication. Alternatively, adjust the logging configuration to not generate logs from the integration by routing logs to a null handler and preventing generation of logs at lower levels. Services should be restarted once the configuration change is saved.