CVE-2023-39349

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-39349

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39349.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-39349

Aliases

GHSA-9jcq-jf57-c62c

Published

2023-08-07T18:27:12.396Z

Modified

2025-12-09T12:03:37.391895Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Sentry vulnerable to privilege escalation via ApiTokensEndpoint

Details

Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on sentry.io. For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of sentry and self-hosted. There are no known workarounds.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39349.json",
    "cwe_ids": [
        "CWE-284",
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/getsentry/self-hosted

Affected ranges

Type: GIT
Repo: https://github.com/getsentry/self-hosted
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c3274e82164c51a21a313ffe81d2d283da1f8ef4

Affected versions

20.*

20.12.1

21.*

21.1.0

21.10.0

21.11.0

21.12.0

21.2.0

21.3.0

21.3.1

21.4.0

21.4.1

21.5.0

21.5.1

21.6.0

21.6.1

21.6.2

21.6.3

21.7.0

21.8.0

21.9.0

22.*

22.1.0

22.10.0

22.11.0

22.12.0

22.2.0

22.3.0

22.4.0

22.5.0

22.6.0

22.7.0

22.8.0

22.9.0

23.*

23.1.0

23.1.1

23.2.0

23.3.0

23.3.1

23.4.0

23.5.0

23.5.1

23.5.2

23.6.0

23.6.1

23.6.2

23.7.0

23.7.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39349.json"

Git / github.com/getsentry/sentry

Affected ranges

Type: GIT
Repo: https://github.com/getsentry/sentry
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

adbbcd8cfb0406be8647c6763a243e171de3d84a

Fixed

fad12c1150d1135edf9666ea72ca11bc110c1083

Affected versions

1.*

1.10.0

1.10.1

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.12.0

1.12.1

1.12.2

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.4.3

1.6.2

1.6.4

1.6.5

1.6.7

1.6.8

1.6.8.1

1.6.8.2

1.7.3

1.8.3.1

1.8.4

1.8.4.1

1.8.4.2

1.8.8

2.*

2.0.0

2.0.0-RC5

2.0.0-RC7

2.0.0-RC9

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.7.0

2.8.0

2.8.1

2.9.0

20.*

20.10.0

20.10.1

20.11.0

20.11.1

20.12.1

20.6.0

20.7.0

20.7.1

20.8.0

20.9.0

21.*

21.1.0

21.2.0

21.3.0

21.3.1

21.4.0

21.4.1

21.5.0

21.5.1

21.6.0

21.6.1

21.6.2

21.6.3

21.7.0

21.8.0

21.9.0

22.*

22.1.0

22.10.0

22.11.0

22.12.0

22.2.0

22.3.0

22.4.0

22.5.0

22.6.0

22.7.0

22.8.0

22.9.0

23.*

23.1.0

23.1.1

23.2.0

23.3.0

23.3.1

23.4.0

23.5.0

23.5.1

23.5.2

23.6.0

23.6.1

23.6.2

23.7.0

23.7.1

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.2.0

3.3.0

3.3.1

3.3.2

3.4.0

3.4.1

3.4.2

3.5.0

3.5.1

3.5.2

3.5.3

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.8.0

3.8.1

3.8.2

4.*

4.0.0

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.10.0

4.2.0

4.2.1

4.2.2

4.2.4

4.2.5

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.6.0

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.7

4.7.8

4.7.9

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.9.0

4.9.2

4.9.4

4.9.5

4.9.6

4.9.7

4.9.7.1

4.9.8

5.*

5.0.0

5.0.1

5.0.10

5.0.11

5.0.11.1

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.16.1

5.0.17.1

5.0.17.2

5.0.18

5.0.18.1

5.0.18.2

5.0.19

5.0.2

5.0.20

5.0.20.1

5.0.21

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8.1

5.1.0

5.1.1

5.1.1.1

5.1.1.2

5.1.2

5.1.3

5.1.4

5.1.5

5.2.0

5.2.1

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.1.0

6.1.1

6.1.2

6.2.0

6.2.1

6.2.2

6.2.3

6.3.0

6.3.1

6.3.2

6.4.0

6.4.2

6.4.2.1

6.4.3

6.4.4

7.*

7.0.0

7.1.0

7.2.0

7.3.0

7.4.0

8.*

8.0.0

8.0.0-rc1

8.0.0rc2

8.1.0

v1.*

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.12.0

v1.12.1

v1.12.2

v1.13.0

v1.13.1

v1.13.2

v1.13.3

v1.13.4

v1.13.5

v1.6.2

v1.6.4

v1.6.5

v1.6.7

v1.6.8

v1.6.8.1

v1.6.8.2

v1.7.3

v1.8.3.1

v1.8.4

v1.8.4.1

v1.8.4.2

v1.8.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39349.json"