CVE-2023-39531: Sentry OAuth Token Exchange Vulnerability Exposes User Access Tokens

---

Sentry is a widely-used error tracking and performance monitoring platform. A vulnerability has been discovered in versions between 10.. and 23.7.1 that makes it possible for an attacker with client-side exploits to retrieve a valid access token for another user during the OAuth token exchange process. The vulnerability is due to incorrect credential validation. To exploit this vulnerability, an attacker needs to know the client ID of the targeted user and have already authorized the API application on the targeted user account.

The Sentry team has promptly fixed this issue in version 23.7.2. Sentry Software as a Service (SaaS) customers need not take any action, as the Sentry team has already updated the platform. However, self-hosted Sentry installations should upgrade to version 23.7.2 or later to avoid falling victim to this exploit.

Technical Details

---

In the OAuth token exchange process, Sentry failed to properly validate client credentials. The affected code snippet, seen below, allowed client_id to be leaked to malicious applications and therefore, the targeted user's access token to be retrieved:

# Incorrect validation of client credentials
def exchange_token(self, request, *args, **kwargs):
    client_id = request.GET.get('client_id')
    client_secret = request.GET.get('client_secret')

    if not client_id or not client_secret:
        return {'error': 'invalid_client'}

    # ... subsequent code ...

An attacker with sufficient knowledge of client-side exploits could use this leaked information to gain a valid access token during OAuth token exchange, leading to possible unauthorized access to the user's sensitive data.

References

---
1. Original Advisory: Sentry Security Advisory
2. CVE: CVE-2023-39531

Mitigation

---
Sentry SaaS customers do not need to take any additional actions, as the platform has already been updated by the Sentry team. For self-hosted Sentry installations, users should upgrade to version 23.7.2 or later to ensure they are protected against this vulnerability.

No direct workarounds are available for this issue. However, users can take some preventive measures by periodically reviewing the applications authorized on their account and removing any applications that are no longer necessary or in use.

Conclusion

---

Sentry's OAuth token exchange vulnerability (CVE-2023-39531) can put user access tokens at risk if an attacker possesses knowledge of client-side exploits and the client ID of the targeted user. Self-hosted Sentry installations should upgrade to version 23.7.2 or higher, and users of both self-hosted and SaaS platforms should practice good security hygiene by reviewing and removing any unnecessary authorized applications.

Whether using Sentry or any other software, staying up-to-date on security patches and maintaining awareness of your account's authorized applications is crucial in ensuring your sensitive data remains protected from unauthorized access.

Timeline

Published on: 08/09/2023 17:15:00 UTC
Last modified on: 08/16/2023 17:55:00 UTC