CVE-2023-39349 - Unauthorized Token Access Vulnerability in Sentry

Sentry is a popular error tracking and performance monitoring platform designed to help developers build more reliable applications. However, a recent vulnerability has been discovered that could potentially allow an attacker to gain access to tokens with more permissions than they should have. This post will provide a detailed explanation of the issue, associated risks, and recommended steps to mitigate the problem.

Description

The vulnerability, identified as CVE-2023-39349, affects Sentry version 22.1. through 23.7.1. The issue occurs due to insufficient access control in the /api//api-tokens/ endpoint. An attacker with access to a token with few or no scopes can query this endpoint to list all tokens created by a user, including tokens with greater scopes. They can then use these tokens to perform unauthorized actions in the affected system.

To demonstrate the vulnerability, consider the following API request

GET /api//api-tokens/ HTTP/1.1
Host: your-sentry-instance.example.com
Authorization: Bearer low_scope_token

An attacker can use a token with low privileges (like low_scope_token) to retrieve a list of all tokens created by a user, including tokens with higher privileges, by querying this particular endpoint.

References

A detailed explanation of the issue and its potential implications can be found on the Sentry official GitHub repository:
- Security Advisory GHSA-7v84-f9hq-885q

Exploit Details

There is currently no evidence that this vulnerability has been exploited on sentry.io, the managed Sentry offering. Self-hosted users should take the steps outlined below to mitigate the risk posed by this vulnerability.

Mitigation

To address this issue, Sentry has released version 23.7.2, which includes a fix for the vulnerability. Users running affected versions of Sentry or Sentry Self-Hosted should upgrade to this version or later as soon as possible. You can find more information on upgrading Sentry in their official documentation:
- Upgrading Sentry

Additionally, self-hosted Sentry users are advised to rotate their user authentication tokens to ensure that any leaked tokens are invalidated. Detailed instructions can be found in the official Sentry documentation:
- Revoking and Rotating Auth Tokens

At this time, there are no known workarounds for this issue.

Conclusion

This vulnerability in Sentry is a reminder of the importance of practicing strong access control within applications and systems. By promptly updating to the latest version and rotating authentication tokens, users can mitigate the risk posed by this issue and protect their Sentry instances from unauthorized access.

Timeline

Published on: 08/07/2023 19:15:00 UTC
Last modified on: 08/10/2023 17:04:00 UTC