CVE-2023-36829

Name of the Vulnerable Software and Affected Versions Sentry versions 23.6.0 through 23.6.1

Description Sentry is an error tracking and performance monitoring platform. The Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.

Recommendations For self-hosted Sentry installations that have system.base-hostname explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. For Sentry SaaS customers, no action is needed.