Headline
CVE-2023-36829: Fix GHSA-4xqm-4p72-87h6 (#52276) · getsentry/sentry@ee44c6b
Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2.
Expand Up @@ -162,15 +162,16 @@ def test_allow_credentials_incorrect(self): org = self.create_organization() apikey = ApiKey.objects.create(organization_id=org.id, allowed_origins="*")
request = self.make_request(method="GET") request.META[“HTTP_ORIGIN”] = “http://acme.example.com” request.META[“HTTP_AUTHORIZATION”] = b"Basic " + base64.b64encode( apikey.key.encode(“utf-8”) ) for http_origin in [“http://acme.example.com", “http://fakeacme.com”]: request = self.make_request(method="GET”) request.META[“HTTP_ORIGIN”] = http_origin request.META[“HTTP_AUTHORIZATION”] = b"Basic " + base64.b64encode( apikey.key.encode(“utf-8”) )
response = _dummy_endpoint(request) response.render() assert “Access-Control-Allow-Credentials” not in response response = _dummy_endpoint(request) response.render() assert “Access-Control-Allow-Credentials” not in response
def test_invalid_cors_without_auth(self): request = self.make_request(method="GET") Expand Down
Related news
### Impact The Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. ### Patches The patch has been released in [Sentry 23.6.2](https://github.com/getsentry/self-hosted/releases/tag/23.6.2). ### Workarounds For Sentry SaaS customers, no action is needed. For self-hosted Sentry installations that have `system.base-hostname` explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds. ### References - [getsentry/sentry PR #52276](https://github.com/getsentry/sentry/pull/52276) ### Credits - [@andr0idp4r4n0id](https://twi...