How can an attacker exploit CVE-2023-39531?

The attacker needs to have knowledge of the client ID and the API application must have been authorized on the targeted user account.

What is the severity of CVE-2023-39531?

The severity of CVE-2023-39531 is medium with a severity value of 6.8.

What is the remedy for CVE-2023-39531?

The remedy for CVE-2023-39531 is to upgrade to version 23.7.2 of the Sentry package.

Where can I find more information about CVE-2023-39531?

You can find more information about CVE-2023-39531 at the following references: [GitHub Advisory](https://github.com/getsentry/sentry/security/advisories/GHSA-hgj4-h2x3-rfx4) and [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-39531).

Vulnerability/
CVE-2023-39531

medium

6.8

CWE

287

9/8/2023

3/10/2024

CVE-2023-39531: Sentry vulnerable to incorrect credential validation on OAuth token requests

First published: Wed Aug 09 2023(Updated: )

### Impact An attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credential validation. The client ID must be known and the API application must have already been authorized on the targeted user account. ### Remediation - **Sentry SaaS** customers do not need to take any action. Those with the highest risk will be contacted directly by Sentry. - **Self-hosted installations** should upgrade to version 23.7.2 or higher. ### Workarounds There are no direct workarounds, but users should review applications authorized on their account (_User Settings > Authorized Applications_) and remove any that are no longer needed.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Sentry Sentry	>=10.0.0<23.7.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the impact of CVE-2023-39531?
An attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credential validation.
How can an attacker exploit CVE-2023-39531?
The attacker needs to have knowledge of the client ID and the API application must have been authorized on the targeted user account.
What is the severity of CVE-2023-39531?
The severity of CVE-2023-39531 is medium with a severity value of 6.8.
What is the remedy for CVE-2023-39531?
The remedy for CVE-2023-39531 is to upgrade to version 23.7.2 of the Sentry package.
Where can I find more information about CVE-2023-39531?
You can find more information about CVE-2023-39531 at the following references: [GitHub Advisory](https://github.com/getsentry/sentry/security/advisories/GHSA-hgj4-h2x3-rfx4) and [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-39531).

collector/github-advisory-latest
alias/GHSA-hgj4-h2x3-rfx4
alias/CVE-2023-39531
collector/nvd-api
collector/nvd-index
collector/nvd-cve
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/references
agent/title
agent/last-modified-date
agent/author
agent/severity
agent/tags
agent/description
agent/first-publish-date
agent/event
package-manager/pip
vendor/sentry
canonical/sentry sentry
version/sentry sentry/10.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.