CVE-2023-28117

Name of the Vulnerable Software and Affected Versions Sentry SDK versions prior to 1.14.0

Description The issue is related to the leakage of sensitive cookie values, including session cookies, to Sentry when using the Django integration of the Sentry SDK in a specific configuration. This can occur when the Sentry SDK configuration has sendDefaultPII set to True, a custom name is used for either SESSION COOKIE NAME or CSRF COOKIE NAME in Django settings, and data scrubbing features are not configured to account for the custom cookie names. The leaked cookies could be used by someone with access to Sentry issues to impersonate or escalate privileges within the application.

Recommendations For versions prior to 1.14.0, use the SDK's filtering mechanism to remove cookies from the payload sent to Sentry. For error events, use the before send callback method, and for performance-related events (transactions), use the before send transaction callback method. Alternatively, use Sentry's advanced data scrubbing feature to account for custom cookie names by targeting the $http.cookies, $http.headers, $request.cookies, or $request.headers fields with a scrubbing rule. As of version 1.14.0, the Django integration of the sentry-sdk will detect custom cookie names based on Django settings and remove the values from the payload before sending the data to Sentry.