CVE-2024-53253
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2024-53253: In version 24.11.0 of Sentry, a specific error message may inadvertently reveal a plaintext Client ID and Client Secret for an application integration. This issue arises when an app installation uses a Search UI component with the "async" flag set to true, and the user types into the Search Component, triggering a request to a third-party for search or query results. If this third-party response fails validation, Sentry may return the "select-requester.invalid-response" error code along with a serialized version of a Sentry application containing the integration Client Secret. Although the Client ID and Secret alone cannot grant direct access to data, an attacker would need a valid API token for a Sentry application to abuse it. Users of Sentry SaaS are unaffected, and no abuse of the leaked Client Secret has been reported. A fix is available for self-hosted users via pull request 81038. This vulnerability affects self-hosted instances that maintain their own integrations and may occur when a "select-requester.invalid-response" event is generated. Self-hosted users should review the parameters logged for each named event and downgrade to version 24.10.0 or await the next release.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Sentry
Affected Vendors
- Functional Software, Inc.