CVE-2023-36829

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Jul 6, 2023
Updated: Jul 17, 2023
CWE ID 942
CWE ID 863
CWE ID 697

Summary

CVE-2023-36829 is a vulnerability affecting Sentry, an error tracking and performance monitoring platform. In versions 23.6.0 and prior to 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header when the `Origin` request header ends with the `system.base-hostname` option. This only impacts installations with explicitly set `system.base-hostname`, as it is empty by default. Despite the limited impact due to cross-site cookie blocking in recent browsers, this flaw could potentially enable multi-step attacks. The vulnerability has been addressed in Sentry 23.6.2 with a released patch.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share