Information Exposure Affecting sentry-sdk package, versions [,1.14.0)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-SENTRYSDK-3367401
- published22 Mar 2023
- disclosed21 Mar 2023
- creditTom Wolters (Chapter8)
Introduced: 21 Mar 2023
CVE-2023-28117 (opens in a new tab)How to fix?
Upgrade sentry-sdk to version 1.14.0 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure in the Django integration, which leaks sensitive cookies values, including the session cookie to Sentry. An attacker with access to Sentry issues can use such cookies to escalate privileges within the application.
Note:
All of these conditions must be met for an application to be vulnerable:
sendDefaultPIIis set toTrue, which is not the default.SESSION_COOKIE_NAMEorCSRF_COOKIE_NAMEhas a custom name in Django settings.Data scrubbing features are NOT being used to scrub the custom cookie names..
Workaround
This vulnerability can be avoided by filtering out cookies from the payload sent to Sentry. For error events, this can be done with the before_send callback method, and for performance-related events (transactions), with the before_send_transaction callback method.
On the server side, the advanced data scrubbing feature can be used to scrub the $http.cookies, $http.headers, $request.cookies, and $request.headers fields.