CVE-2023-36829

Description

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected products

getsentry / sentry>= 23.6.0, < 23.6.2 – >= 23.6.0, < 23.6.2

References

VENDOR_ADVISORYhttps://github.com/getsentry/sentry/security/advisories/GHSA-4xqm-4p72-87h6
PATCHhttps://github.com/getsentry/sentry/pull/52276
PATCHhttps://github.com/getsentry/sentry/commit/ee44c6be35e5e464bc40637580f39867898acd8b
PATCHhttps://github.com/getsentry/self-hosted/releases/tag/23.6.2