Back

CVE-2024-32474

April 18, 2024, 8:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Sentry

  • prior to 24.4.1

Source

security-advisories@github.com

Tags

CVE-2024-32474 details

Published : April 18, 2024, 8:15 p.m.
Last Modified : April 18, 2024, 8:15 p.m.

Description

Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more.

CVSS Score

1 2 3 4 5 6 7.3 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

7.3

Exploitability Score

Impact Score

Base Severity

HIGH

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References

URL Source
https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f security-advisories@github.com
https://github.com/getsentry/sentry/pull/66393 security-advisories@github.com
https://github.com/getsentry/sentry/pull/69148 security-advisories@github.com
https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.