Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`
CVE-2023-28117

7.6HIGH

Key Information:

Vendor

Getsentry

Status
Sentry-python
Vendor
CVE Published:
22 March 2023

What is CVE-2023-28117?

The Sentry Python SDK, particularly its Django integration, has a vulnerability that allows sensitive cookie values, such as session cookies, to be leaked when certain conditions are met. If the 'sendDefaultPII' option is enabled and custom names for cookie settings are used without proper configuration for data scrubbing, attackers with access to Sentry issues may exploit this to impersonate users or escalate privileges within the application. Users should upgrade to version 1.14.0 or later to benefit from enhanced security measures that automatically detect and filter these cookie names.

Affected Version(s)

sentry-python < 1.14.0

References

https://github.com/getsentry/sentry-python/security/advis...
x_refsource_CONFIRM
https://github.com/getsentry/sentry-python/pull/1842
x_refsource_MISC
https://github.com/getsentry/sentry-python/releases/tag/1...
x_refsource_MISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.