Help Center / Account & Billing / Security / CVE-2022-23485 FAQs

CVE-2022-23485 FAQs

Details

With a known valid invite link (i.e. not already accepted or expired) an unauthenticated attacker can manipulate the cookie to allow the same invite link to be reused on multiple accounts when joining an organization.

Where can I find details of the CVE?

You can find details in our Github Security Advisory.

Do I need to take any action?

No action is necessary for Sentry SaaS users.

Self-hosted Sentry installs should upgrade to version 22.11.0 or higher. As a workaround, administrators can disable the invite functionality until they are ready to deploy the patched version by editing their sentry.conf.py file (usually located at ~/.sentry/).

  1. Add the following line into sentry.conf.py:

     SENTRY_FEATURES["organizations:invite-members"] = False
    

No. Past invite links that have already been accepted or expired are not vulnerable.

Are current pending invites vulnerable?

No. Out of caution, you can opt to rotate these links if you suspect they may have been intercepted.

Only those with the Owner role, Manager role, or the recipient of the invite can see the link.

Is there anything else I can do to secure my organization?

  1. Regularly review user membership of your organization (Organization Settings > Members) and remove stale accounts.
    • Sentry SaaS customers can use this link to directly access Members in the organization settings.
  2. Ensure users have the correct roles assigned to them.
  3. Enable 2FA on your account.

All the help you could dream of

Documentation
© 2023 • Sentry is a registered Trademark
of Functional Software, Inc.