What is CVE-2022-23485?

CVE-2022-23485 is a vulnerability in the Sentry python library that allows an attacker with a known valid invite link to manipulate a cookie and reuse the same invite link on multiple accounts when joining an organization.

What is the severity of CVE-2022-23485?

The severity of CVE-2022-23485 is medium with a severity value of 3.7.

How does CVE-2022-23485 affect Sentry?

CVE-2022-23485 affects versions of the Sentry python library prior to 22.11.0.

How can an attacker exploit CVE-2022-23485?

An attacker with a known valid invite link can manipulate a cookie to reuse the same invite link on multiple accounts when joining an organization.

Is there a fix for CVE-2022-23485?

Yes, upgrading to version 22.11.0 or later of the Sentry python library fixes the vulnerability.

Vulnerability/
CVE-2022-23485

medium

6.4

CWE

269 284

10/12/2022

3/8/2024

CVE-2022-23485: Invite code reuse via cookie manipulation in sentry

First published: Sat Dec 10 2022(Updated: )

Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Sentry Sentry	>=20.6.0<=22.10.0

Never miss a vulnerability like this again

Reference Links

https://github.com/getsentry/sentry/security/advisories/GHSA-jv85-mqxj-3f9j

Frequently Asked Questions

What is CVE-2022-23485?
CVE-2022-23485 is a vulnerability in the Sentry python library that allows an attacker with a known valid invite link to manipulate a cookie and reuse the same invite link on multiple accounts when joining an organization.
What is the severity of CVE-2022-23485?
The severity of CVE-2022-23485 is medium with a severity value of 3.7.
How does CVE-2022-23485 affect Sentry?
CVE-2022-23485 affects versions of the Sentry python library prior to 22.11.0.
How can an attacker exploit CVE-2022-23485?
An attacker with a known valid invite link can manipulate a cookie to reuse the same invite link on multiple accounts when joining an organization.
Is there a fix for CVE-2022-23485?
Yes, upgrading to version 22.11.0 or later of the Sentry python library fixes the vulnerability.

collector/nvd-index
agent/weakness
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/author
agent/last-modified-date
agent/severity
agent/title
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/sentry
canonical/sentry sentry
version/sentry sentry/20.6.0
version/sentry sentry/22.10.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.