CVE-2022-23485: Invite code reuse via cookie manipulation in sentry
First published: Sat Dec 10 2022(Updated: )
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sentry Sentry | >=20.6.0<=22.10.0 | |
| pip/sentry | >=20.6.0<22.11.0 | 22.11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/getsentry/sentry/security/advisories/GHSA-jv85-mqxj-3f9j
- https://nvd.nist.gov/vuln/detail/CVE-2022-23485
- https://github.com/getsentry/sentry/commit/565f971da955d57c754a47f5802fe9f9f7c66b39
- https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2022-43011.yaml
- https://github.com/advisories/GHSA-jv85-mqxj-3f9j (Advisory)
Frequently Asked Questions
What is CVE-2022-23485?
CVE-2022-23485 is a vulnerability in the Sentry python library that allows an attacker with a known valid invite link to manipulate a cookie and reuse the same invite link on multiple accounts when joining an organization.
What is the severity of CVE-2022-23485?
The severity of CVE-2022-23485 is medium with a severity value of 3.7.
How does CVE-2022-23485 affect Sentry?
CVE-2022-23485 affects versions of the Sentry python library prior to 22.11.0.
How can an attacker exploit CVE-2022-23485?
An attacker with a known valid invite link can manipulate a cookie to reuse the same invite link on multiple accounts when joining an organization.
Is there a fix for CVE-2022-23485?
Yes, upgrading to version 22.11.0 or later of the Sentry python library fixes the vulnerability.
- collector/nvd-index
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jv85-mqxj-3f9j
- alias/CVE-2022-23485
- agent/software-canonical-lookup
- agent/author
- agent/references
- agent/last-modified-date
- agent/description
- collector/nvd-cve
- source/NVD
- agent/event
- agent/softwarecombine
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/sentry
- canonical/sentry sentry
- version/sentry sentry/20.6.0
- version/sentry sentry/22.10.0
- package-manager/pip