CVE-2024-32474 - OpenCVE

Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f
https://github.com/getsentry/sentry/pull/66393
https://github.com/getsentry/sentry/pull/69148
https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-18T19:50:44.541Z

Updated: 2024-08-02T02:13:39.118Z

Reserved: 2024-04-12T19:41:51.167Z

Link: CVE-2024-32474

Vulnrichment

Updated: 2024-08-02T02:13:39.118Z

NVD

Status : Awaiting Analysis

Published: 2024-04-18T20:15:17.733

Modified: 2024-04-19T13:10:25.637

Link: CVE-2024-32474

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-12T19:41:51.167Z", "datePublished": "2024-04-18T19:50:44.541Z", "dateUpdated": "2024-08-02T02:13:39.118Z"}, "containers": {"cna": {"title": "Sentry's superuser cleartext password leaked in logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-117", "lang": "en", "description": "CWE-117: Improper Output Neutralization for Logs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9"}, {"name": "https://github.com/getsentry/sentry/pull/66393", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry/pull/66393"}, {"name": "https://github.com/getsentry/sentry/pull/69148", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry/pull/69148"}, {"name": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f"}], "affected": [{"vendor": "getsentry", "product": "sentry", "versions": [{"version": ">= 24.3.0, < 24.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-18T19:50:44.541Z"}, "descriptions": [{"lang": "en", "value": "Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more."}], "source": {"advisory": "GHSA-6cjm-4pxw-7xp9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T14:22:52.411069Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:getsentry:sentry:-:*:*:*:*:*:*:*"], "vendor": "getsentry", "product": "sentry", "versions": [{"status": "affected", "version": "24.3.0", "versionType": "semver", "lessThanOrEqual": "24.4.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:51:26.370Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:39.118Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9"}, {"name": "https://github.com/getsentry/sentry/pull/66393", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getsentry/sentry/pull/66393"}, {"name": "https://github.com/getsentry/sentry/pull/69148", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getsentry/sentry/pull/69148"}, {"name": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9", "name": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/getsentry/sentry/pull/66393", "name": "https://github.com/getsentry/sentry/pull/66393", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/getsentry/sentry/pull/69148", "name": "https://github.com/getsentry/sentry/pull/69148", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f", "name": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:39.118Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T14:22:52.411069Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:getsentry:sentry:-:*:*:*:*:*:*:*"], "vendor": "getsentry", "product": "sentry", "versions": [{"status": "affected", "version": "24.3.0", "versionType": "semver", "lessThanOrEqual": "24.4.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-23T14:30:04.948Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Sentry's superuser cleartext password leaked in logs", "source": {"advisory": "GHSA-6cjm-4pxw-7xp9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "getsentry", "product": "sentry", "versions": [{"status": "affected", "version": ">= 24.3.0, < 24.4.1"}]}], "references": [{"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9", "name": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getsentry/sentry/pull/66393", "name": "https://github.com/getsentry/sentry/pull/66393", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsentry/sentry/pull/69148", "name": "https://github.com/getsentry/sentry/pull/69148", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f", "name": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-18T19:50:44.541Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32474", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:13:39.118Z", "dateReserved": "2024-04-12T19:41:51.167Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-18T19:50:44.541Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more."}, {"lang": "es", "value": "Sentry es una plataforma de seguimiento de errores y supervisi\u00f3n del rendimiento. Antes de 24.4.1, al autenticarse como superusuario en Sentry con un nombre de usuario y contrase\u00f1a, la contrase\u00f1a se filtraba como texto plano en los registros bajo el _event_: `auth-index.validate_superuser`. Un atacante con acceso a los datos de registro podr\u00eda utilizar estas credenciales filtradas para iniciar sesi\u00f3n en el sistema Sentry como superusuario. Los usuarios autohospedados de las versiones afectadas deben actualizar a 24.4.1 o posterior. Los usuarios pueden configurar el nivel de registro para excluir registros del nivel \"INFO\" y solo generar registros para niveles en \"ADVERTENCIA\" o m\u00e1s."}], "id": "CVE-2024-32474", "lastModified": "2024-04-19T13:10:25.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-18T20:15:17.733", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f"}, {"source": "security-advisories@github.com", "url": "https://github.com/getsentry/sentry/pull/66393"}, {"source": "security-advisories@github.com", "url": "https://github.com/getsentry/sentry/pull/69148"}, {"source": "security-advisories@github.com", "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-117"}, {"lang": "en", "value": "CWE-312"}], "source": "security-advisories@github.com", "type": "Secondary"}]}