Moderate severityNVD Advisory· Published Jul 6, 2023· Updated Nov 6, 2024

Sentry CORS misconfiguration vulnerability

CVE-2023-36829

Description

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry installation. This only affects installations that have system.base-hostname option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. The patch has been released in Sentry 23.6.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sentryPyPI	>= 23.6.0, < 23.6.2	23.6.2

Affected products

Getsentry/Sentryv5
Range: >= 23.6.0, < 23.6.2

Patches

ee44c6be35e5

Fix GHSA-4xqm-4p72-87h6 (#52276)

https://github.com/getsentry/sentryAlexander TarasovJul 5, 2023via ghsa

commit

2 files changed · +10 −9

src/sentry/api/base.py+1 −1 modified

@@ -121,7 +121,7 @@ def allow_cors_options_wrapper(self, request: Request, *args, **kwargs):
         # to be sent.
         basehost = options.get("system.base-hostname")
         if basehost and origin:
-            if origin.endswith(basehost):
+            if origin.endswith(("://" + basehost, "." + basehost)):
                 response["Access-Control-Allow-Credentials"] = "true"
 
         return response

tests/sentry/api/test_base.py+9 −8 modified

@@ -162,15 +162,16 @@ def test_allow_credentials_incorrect(self):
         org = self.create_organization()
         apikey = ApiKey.objects.create(organization_id=org.id, allowed_origins="*")
 
-        request = self.make_request(method="GET")
-        request.META["HTTP_ORIGIN"] = "http://acme.example.com"
-        request.META["HTTP_AUTHORIZATION"] = b"Basic " + base64.b64encode(
-            apikey.key.encode("utf-8")
-        )
+        for http_origin in ["http://acme.example.com", "http://fakeacme.com"]:
+            request = self.make_request(method="GET")
+            request.META["HTTP_ORIGIN"] = http_origin
+            request.META["HTTP_AUTHORIZATION"] = b"Basic " + base64.b64encode(
+                apikey.key.encode("utf-8")
+            )
 
-        response = _dummy_endpoint(request)
-        response.render()
-        assert "Access-Control-Allow-Credentials" not in response
+            response = _dummy_endpoint(request)
+            response.render()
+            assert "Access-Control-Allow-Credentials" not in response
 
     def test_invalid_cors_without_auth(self):
         request = self.make_request(method="GET")

19248fb9802c

fix GHSA-4xqm-4p72-87h6

https://github.com/getsentry/sentryAlexander TarasovJul 5, 2023via ghsa

commit

2 files changed · +10 −9

src/sentry/api/base.py+1 −1 modified

@@ -121,7 +121,7 @@ def allow_cors_options_wrapper(self, request: Request, *args, **kwargs):
         # to be sent.
         basehost = options.get("system.base-hostname")
         if basehost and origin:
-            if origin.endswith(basehost):
+            if origin.endswith(("://" + basehost, "." + basehost)):
                 response["Access-Control-Allow-Credentials"] = "true"
 
         return response

tests/sentry/api/test_base.py+9 −8 modified

@@ -162,15 +162,16 @@ def test_allow_credentials_incorrect(self):
         org = self.create_organization()
         apikey = ApiKey.objects.create(organization_id=org.id, allowed_origins="*")
 
-        request = self.make_request(method="GET")
-        request.META["HTTP_ORIGIN"] = "http://acme.example.com"
-        request.META["HTTP_AUTHORIZATION"] = b"Basic " + base64.b64encode(
-            apikey.key.encode("utf-8")
-        )
+        for http_origin in ["http://acme.example.com", "http://fakeacme.com"]:
+            request = self.make_request(method="GET")
+            request.META["HTTP_ORIGIN"] = http_origin
+            request.META["HTTP_AUTHORIZATION"] = b"Basic " + base64.b64encode(
+                apikey.key.encode("utf-8")
+            )
 
-        response = _dummy_endpoint(request)
-        response.render()
-        assert "Access-Control-Allow-Credentials" not in response
+            response = _dummy_endpoint(request)
+            response.render()
+            assert "Access-Control-Allow-Credentials" not in response
 
     def test_invalid_cors_without_auth(self):
         request = self.make_request(method="GET")

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4xqm-4p72-87h6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-36829ghsaADVISORY
github.com/getsentry/self-hosted/releases/tag/23.6.2ghsax_refsource_MISCWEB
github.com/getsentry/sentry/commit/19248fb9802c252665b802aeab02fdc65ed47dc9ghsaWEB
github.com/getsentry/sentry/commit/ee44c6be35e5e464bc40637580f39867898acd8bghsax_refsource_MISCWEB
github.com/getsentry/sentry/pull/52276ghsax_refsource_MISCWEB
github.com/getsentry/sentry/security/advisories/GHSA-4xqm-4p72-87h6ghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2023-115.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000