logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-68c2-4mpx-qh95 @sentry/react-native

Package

Manager: npm
Name: @sentry/react-native
Vulnerable Version: >=5.16.0 <5.19.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin ### Impact SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be potentially exposed in case the application bundle is subsequently published. You may ignore this notification if you are not using `authToken` configuration parameter in your React Native SDK configuration or did not publish apps using this way of configuring the `authToken`. If you had set the `authToken` in the plugin config previously, and built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/). ### Patches The behavior that allowed setting an `authToken` parameter was fixed in SDK version 5.19.1 where, if this parameter was set, you will see a warning and the `authToken` would be removed before bundling the application. ### Workarounds 1. Remove `authToken` from the plugin configuration. 2. If you had set the `authToken` in the plugin config previously, and built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/). ### References * [sentry-react-native 5.19.1 release notes](https://github.com/getsentry/sentry-react-native/releases/tag/5.19.1) * https://github.com/getsentry/sentry-docs/pull/9244

Metadata

Created: 2024-03-01T16:57:56Z
Modified: 2024-03-01T16:57:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-68c2-4mpx-qh95/GHSA-68c2-4mpx-qh95.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F017
Auto approve: 1