Lucene search

[email protected]NVD:CVE-2024-32474

HistoryApr 18, 2024 - 8:15 p.m.

CVE-2024-32474

2024-04-1820:15:17

CWE-312

CWE-117

[email protected]

web.nvd.nist.gov

sentry

error tracking

performance monitoring

authentication

password leakage

logs

superuser

access control

upgrade

self-hosted

logging configuration

security vulnerability

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.0004 Low

EPSS

Percentile

15.5%

JSON

Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the event: auth-index.validate_superuser. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the INFO level and only generate logs for levels at WARNING or more.

References

github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f

github.com/getsentry/sentry/pull/66393

github.com/getsentry/sentry/pull/69148

github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-32474

osv2 cvelist1 cve1 github1