You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default.
Impact
Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.
For self-hosted Sentry installations that have system.base-hostname explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.
Package and Versions
Package: sentry pip
Affected Version(s): >=23.6.0, <23.6.2
Patched Version(s): 23.6.2
Description
The Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default.
Impact
Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.
Patches
The patch has been released in Sentry 23.6.2
Workarounds
For Sentry SaaS customers, no action is needed.
For self-hosted Sentry installations that have system.base-hostname explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.
CVSS 3.1 Score and Vector
Example:
CVSS Score: 6.8
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Information
Reference: getsentry/sentry#52276
Original Advisory: GHSA-4xqm-4p72-87h6
Credits: @andr0idp4r4n0id
The text was updated successfully, but these errors were encountered: