CVE-2023-36826

Name of the Vulnerable Software and Affected Versions Sentry versions 8.21.0 through 23.5.1

Description An authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID, without needing to be a member of the organization or having permissions on the project. A patch was issued to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles, preventing authenticated users without necessary permissions from downloading them.

Recommendations For Sentry versions 8.21.0 through 23.5.1, upgrade to version 23.5.2 or higher to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Sentry SaaS users do not need to take any action. As a temporary workaround, consider restricting access to debug or artifact bundles until the patch is applied.