CVE-2024-53253

Name of the Vulnerable Software and Affected Versions Sentry version 24.11.0

Description Sentry is an error tracking and performance monitoring platform. A specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. This could occur under certain conditions, including the use of a Search UI component with the async flag set to true, a user typing into the Search Component, and a third-party response failing validation, resulting in the select-requester.invalid-response error code. The Client ID and Client Secret would not be displayed in the UI but would be returned in the underlying HTTP response to the end user. For the secret to be abused, an attacker would also need to obtain a valid API token for a Sentry application. Sentry SaaS users do not need to take any action, as only a single application integration was impacted and the owner has rotated their Client Secret, with no abuse of the leaked Client Secret occurring.

Recommendations For Sentry self-hosted users, upgrade to version 24.11.1 or higher to resolve the issue. Alternatively, self-hosted users may consider downgrading to version 24.10.0 if they are already running the affected version. As a temporary workaround, consider reviewing the select requester.py file for instances where the error can be generated and searching for the select-requester.invalid-response event to identify potential exposures.