CVE-2023-28117 — Sensitive Info Insertion into Sent Data in Sentry-python

CWE-201 — Sensitive Info Insertion into Sent Data CWE-209 — Information Exposure via Error Message4 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 39.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Getsentry Sentry-python Sentry Software Development KIT

Timeline

PublishedMar 22

Description

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentr…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5getsentry/sentry-python< 1.14.0

▶NVDsentry/sentry_software_development_kit< 1.14.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-28117: Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software↗2023-03-22

▶

GHSA

Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`↗2023-03-21

▶

OSV

Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`↗2023-03-21

▶