Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7pq6-v88g-wf3w: Sentry's improper authentication on SAML SSO process allows user impersonation

Impact

A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

Patches

  • Sentry SaaS: The fix was deployed on Jan 14, 2025.
  • Self-Hosted Sentry: If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher.

Workarounds

No known workarounds.

References

  • https://github.com/getsentry/sentry/pull/83407
ghsa
Open in Source
#vulnerability#web#git#auth

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

    • Issues

      Plan and track work

    • Code Review

      Manage code changes

    • Discussions

      Collaborate outside of code

    • Code Search

      Find more, search less

  • Explore

    • Learning Pathways
    • White papers, Ebooks, Webinars
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-22146

Sentry’s improper authentication on SAML SSO process allows user impersonation

Critical severity GitHub Reviewed Published Jan 15, 2025 in getsentry/sentry • Updated Jan 15, 2025

Affected versions

>= 21.12.0, < 25.1.0

Description

Impact

A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

Patches

  • Sentry SaaS: The fix was deployed on Jan 14, 2025.
  • Self-Hosted Sentry: If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher.

Workarounds

No known workarounds.

References

  • getsentry/sentry#83407

References

  • GHSA-7pq6-v88g-wf3w
  • getsentry/sentry#83407
  • getsentry/sentry@6db508f

Published to the GitHub Advisory Database

Jan 15, 2025

Last updated

Jan 15, 2025

ghsa: Latest News

GHSA-c873-wfhp-wx5m: SP1 has missing verifier checks and fiat-shamir observations
ghsa