CVE-2024-53253

Advisory

Affected versions of Sentry are vulnerable to Information Exposure Through Error Messages (CWE-209). When handling invalid responses from third-party integrations, the Search UI component exposes Client ID and Secret credentials in error messages. This occurs when async search components receive invalid third-party responses, triggered through the SelectRequester class. Though exploitation requires specific validation failures and additional API tokens for full access, it risks exposing integration secrets. Fixed in version 24.11.1 by restructuring error handling and implementing proper error message sanitization.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-v5h2-q2w4-gpcx
• https://github.com/getsentry/sentry/commit/e38ab01e254ddcc5ec09cc0c4763ecc894514fef
• https://github.com/getsentry/sentry/commit/54dd8bce7e7e093c7ebe86715155601dc0f0805a
• https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53253