Information Exposure Affecting sentry-sdk package, versions [,1.14.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SENTRYSDK-3367401
- published 22 Mar 2023
- disclosed 21 Mar 2023
- credit Tom Wolters (Chapter8)
Introduced: 21 Mar 2023
CVE-2023-28117 Open this link in a new tabHow to fix?
Upgrade sentry-sdk to version 1.14.0 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure in the Django integration, which leaks sensitive cookies values, including the session cookie to Sentry. An attacker with access to Sentry issues can use such cookies to escalate privileges within the application.
Note:
All of these conditions must be met for an application to be vulnerable:
sendDefaultPIIis set toTrue, which is not the default.SESSION_COOKIE_NAMEorCSRF_COOKIE_NAMEhas a custom name in Django settings.Data scrubbing features are NOT being used to scrub the custom cookie names..
Workaround
This vulnerability can be avoided by filtering out cookies from the payload sent to Sentry. For error events, this can be done with the before_send callback method, and for performance-related events (transactions), with the before_send_transaction callback method.
On the server side, the advanced data scrubbing feature can be used to scrub the $http.cookies, $http.headers, $request.cookies, and $request.headers fields.