// For flags

CVE-2022-23485

Invite code reuse via cookie manipulation in sentry

Severity Score

3.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).

Sentry es una plataforma de seguimiento de errores y supervisión del rendimiento. En versiones de la librería Sentry Python anteriores a la 22.11.0, un atacante con un enlace de invitación válido conocido podría manipular una cookie para permitir que el mismo enlace de invitación se reutilice en varias cuentas al unirse a una organización. Como resultado, un atacante con un enlace de invitación válido puede crear varios usuarios y unirse a una organización a la que tal vez no hayan sido invitados originalmente. Este problema se solucionó en la versión 22.11.0. Los clientes de Sentry SaaS no necesitan realizar ninguna acción. Las instalaciones autohospedadas de Sentry en sistemas que no pueden actualizarse pueden desactivar la funcionalidad de invitación hasta que estén listos para implementar la versión parcheada editando su archivo `sentry.conf.py` (generalmente ubicado en `~/.sentry/`).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2022-12-10 CVE Published
  • 2024-07-02 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-269: Improper Privilege Management
  • CWE-284: Improper Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sentry
Search vendor "Sentry"
Sentry
Search vendor "Sentry" for product "Sentry"
>= 20.6.0 <= 22.10.0
Search vendor "Sentry" for product "Sentry" and version " >= 20.6.0 <= 22.10.0"
-
Affected