CVE-2023-36829

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-36829
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36829.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-36829
Aliases
Published
2023-07-06T22:08:58Z
Modified
2025-10-15T02:25:04.389229Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Sentry CORS misconfiguration vulnerability
Details

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2.

References

Affected packages

Git / github.com/getsentry/self-hosted

Affected ranges

Type
GIT
Repo
https://github.com/getsentry/self-hosted
Events
Introduced
dbded584377d50a2545a98de5d0d53d204b369a0
Fixed
5c5bf06fae3ac6b8c60b4770d4ac985ea670103f

Affected versions

23.*

23.6.0
23.6.1

Git / github.com/getsentry/self-hosted

Affected ranges

Type
GIT
Repo
https://github.com/getsentry/self-hosted
Events
Introduced
dbded584377d50a2545a98de5d0d53d204b369a0
Fixed
5c5bf06fae3ac6b8c60b4770d4ac985ea670103f

Affected versions

23.*

23.6.0
23.6.1