#VU100911 Information disclosure in sentry - CVE-2024-53253

Cybersecurity Help s.r.o.

Published: 2024-11-25

Vulnerability identifier: #VU100911

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-53253

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
sentry
Other software / Other software solutions

Vendor: Sentry

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a specific error message generated by the Sentry platform can include a plaintext Client ID and Client Secret for an application integration. A remote attacker can send a specially crafted request and obtain the integration Client Secret.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

sentry: 24.11.0

External links
https://github.com/getsentry/sentry/pull/79377
https://github.com/getsentry/sentry/pull/81038
https://github.com/getsentry/sentry/security/advisories/GHSA-v5h2-q2w4-gpcx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Sentry