Sentry CORS misconfiguration - API Security Blog

Main / Sentry CORS misconfiguration

Sentry CORS misconfiguration

Discription

### Impact
The Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default.

Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks.

### Patches
The patch has been released in [Sentry 23.6.2](https://github.com/getsentry/self-hosted/releases/tag/23.6.2).

### Workarounds

For Sentry SaaS customers, no action is needed.

For self-hosted Sentry installations that have `system.base-hostname` explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds.

### References
– [getsentry/sentry PR #52276](https://github.com/getsentry/sentry/pull/52276)

### Credits
– [@andr0idp4r4n0id](https://twitter.com/andr0idp4r4n0id)Read More

References

Back to Main

Subscribe for the latest news: