GHSA-68C2-4MPX-QH95

Vulnerability from github – Published: 2024-03-01 16:57 – Updated: 2024-03-01 16:57
VLAI?
Summary
Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin
Details

Impact

SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be potentially exposed in case the application bundle is subsequently published.

You may ignore this notification if you are not using authToken configuration parameter in your React Native SDK configuration or did not publish apps using this way of configuring the authToken.

If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.

Patches

The behavior that allowed setting an authToken parameter was fixed in SDK version 5.19.1 where, if this parameter was set, you will see a warning and the authToken would be removed before bundling the application.

Workarounds

  1. Remove authToken from the plugin configuration.
  2. If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.

References

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.19.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@sentry/react-native"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "5.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T16:57:56Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nSDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be potentially exposed in case the application bundle is subsequently published.\n\nYou may ignore this notification if you are not using `authToken` configuration parameter in your React Native SDK configuration or did not publish apps using this way of configuring the `authToken`.\n\nIf you had set the `authToken` in the plugin config previously, and built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/).\n\n### Patches\nThe behavior that allowed setting an `authToken` parameter was fixed in SDK version 5.19.1 where, if this parameter was set, you will see a warning and the `authToken` would be removed before bundling the application.\n\n### Workarounds\n1. Remove `authToken` from the plugin configuration.\n2. If you had set the `authToken` in the plugin config previously, and built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/).\n\n### References\n* [sentry-react-native 5.19.1 release notes](https://github.com/getsentry/sentry-react-native/releases/tag/5.19.1)\n* https://github.com/getsentry/sentry-docs/pull/9244",
  "id": "GHSA-68c2-4mpx-qh95",
  "modified": "2024-03-01T16:57:56Z",
  "published": "2024-03-01T16:57:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-react-native/security/advisories/GHSA-68c2-4mpx-qh95"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-react-native/commit/9148964a50d2ea1de830854c95f3649f6cb94b1b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry-react-native"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-react-native/releases/tag/5.19.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.