Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OGMyLTRtcHgtcWg5Nc4AA5rz
Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin
Impact
SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be potentially exposed in case the application bundle is subsequently published.
You may ignore this notification if you are not using authToken configuration parameter in your React Native SDK configuration or did not publish apps using this way of configuring the authToken.
If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.
Patches
The behavior that allowed setting an authToken parameter was fixed in SDK version 5.19.1 where, if this parameter was set, you will see a warning and the authToken would be removed before bundling the application.
Workarounds
- Remove
authTokenfrom the plugin configuration. - If you had set the
authTokenin the plugin config previously, and built and published an app with that config, you should rotate your token.
References
Permalink: https://github.com/advisories/GHSA-68c2-4mpx-qh95JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OGMyLTRtcHgtcWg5Nc4AA5rz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 months ago
Updated: 2 months ago
Identifiers: GHSA-68c2-4mpx-qh95
References:
- https://github.com/getsentry/sentry-react-native/security/advisories/GHSA-68c2-4mpx-qh95
- https://github.com/getsentry/sentry-react-native/commit/9148964a50d2ea1de830854c95f3649f6cb94b1b
- https://github.com/getsentry/sentry-react-native/releases/tag/5.19.1
- https://github.com/advisories/GHSA-68c2-4mpx-qh95
Blast Radius: 0.0
Affected Packages
npm:@sentry/react-native
Dependent packages: 68Dependent repositories: 912
Downloads: 1,350,479 last month
Affected Version Ranges: >= 5.16.0, <= 5.19.0
Fixed in: 5.19.1
All affected versions: 5.16.0, 5.17.0, 5.18.0, 5.19.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.8.0, 4.9.0, 4.10.0, 4.10.1, 4.11.0, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.15.1, 4.15.2, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.6.0, 5.7.0, 5.7.1, 5.8.0, 5.8.1, 5.9.0, 5.9.1, 5.9.2, 5.10.0, 5.11.0, 5.11.1, 5.12.0, 5.13.0, 5.14.0, 5.14.1, 5.15.0, 5.15.1, 5.15.2, 5.19.1, 5.19.2, 5.19.3, 5.20.0, 5.21.0, 5.22.0