[Security Advisory]: CORS misconfiguration

[jeff-a-holland-codecov]

Package and Versions

Package: sentry pip
Affected Version(s): >=23.6.0, <23.6.2
Patched Version(s): 23.6.2

Description

The Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default.

Impact

Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.

Patches

The patch has been released in Sentry 23.6.2

Workarounds

For Sentry SaaS customers, no action is needed.

For self-hosted Sentry installations that have system.base-hostname explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.

CVSS 3.1 Score and Vector

Example:
CVSS Score: 6.8
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Information

Reference: getsentry/sentry#52276
Original Advisory: GHSA-4xqm-4p72-87h6
Credits: @andr0idp4r4n0id