SB2023071509 - CORS misconfiguration in Sentry API

Description

This security bulletin contains information about 1 security vulnerability.

1) Overly permissive cross-domain whitelist (CVE-ID: CVE-2023-36829)

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request in Sentry API. A remote attacker can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and perform cross-site scripting attacks against the vulnerable application.

Note, the vulnerability affects installations only that have `system.base-hostname` option explicitly set, as it is empty by default.

Remediation

Install update from vendor's website.

References

• https://github.com/getsentry/sentry/commit/ee44c6be35e5e464bc40637580f39867898acd8b
• https://github.com/getsentry/sentry/security/advisories/GHSA-4xqm-4p72-87h6
• https://github.com/getsentry/sentry/pull/52276
• https://github.com/getsentry/self-hosted/releases/tag/23.6.2