GHSA-4xqm-4p72-87h6

Source

https://github.com/advisories/GHSA-4xqm-4p72-87h6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4xqm-4p72-87h6/GHSA-4xqm-4p72-87h6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4xqm-4p72-87h6

Aliases

Published

2023-07-06T22:55:44Z

Modified

2024-02-16T07:56:29.946359Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Sentry CORS misconfiguration

Details

Impact

The Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default.

Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.

Patches

The patch has been released in Sentry 23.6.2.

Workarounds

For Sentry SaaS customers, no action is needed.

For self-hosted Sentry installations that have system.base-hostname explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.

References

getsentry/sentry PR #52276

Credits

@andr0idp4r4n0id

Database specific

{
    "nvd_published_at": "2023-07-06T23:15:09Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2023-07-06T22:55:44Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-697",
        "CWE-863",
        "CWE-942"
    ]
}

References

Affected packages

PyPI / sentry

Package

Name: sentry; View open source insights on deps.dev
Purl: pkg:pypi/sentry

Affected ranges

Type: ECOSYSTEM
Events: Introduced

23.6.0

Fixed

23.6.2

Affected versions

23.*

23.6.0

23.6.1