CVE-2022-23485

MEDIUM

Sentry 20.6.0-22.10.0 - Improper Access Control via Invite Link Cookie Manipulation

Title source: llm

Description

Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).

References (1)

Core 1

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/getsentry/sentry/security/advisories/GHSA-jv85-mqxj-3f9j

Scores

CVSS v3 6.4

EPSS 0.0042

EPSS Percentile 33.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-269 CWE-284

Status published

Products (2)

pypi/sentry 20.6.0 - 22.11.0PyPI

sentry/sentry 20.6.0 - 22.10.0

Published Dec 10, 2022

Tracked Since Feb 18, 2026