PYSEC-2023-115

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/sentry/PYSEC-2023-115.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-115

Aliases

Published

2023-07-06T23:15:00Z

Modified

2023-11-08T04:12:59.617813Z

Summary

[none]

Details

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2.

References

Affected packages

PyPI / sentry

Package

Name: sentry; View open source insights on deps.dev
Purl: pkg:pypi/sentry

Affected ranges

Type: GIT
Repo: https://github.com/getsentry/sentry
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ee44c6be35e5e464bc40637580f39867898acd8b

Type: ECOSYSTEM
Events: Introduced

23.6.0

Fixed

23.6.2

Affected versions

23.*

23.6.0

23.6.1