CVE-2022-23485 FAQs
Details
With a known valid invite link (i.e. not already accepted or expired) an unauthenticated attacker can manipulate the cookie to allow the same invite link to be reused on multiple accounts when joining an organization.
Where can I find details of the CVE?
You can find details in our Github Security Advisory.
Do I need to take any action?
No action is necessary for Sentry SaaS users.
Self-hosted Sentry installs should upgrade to version 22.11.0 or higher. As a workaround, administrators can disable the invite functionality until they are ready to deploy the patched version by editing their sentry.conf.py file (usually located at ~/.sentry/).
Add the following line into
sentry.conf.py:SENTRY_FEATURES["organizations:invite-members"] = False
Are invite links I sent in the past vulnerable?
No. Past invite links that have already been accepted or expired are not vulnerable.
Are current pending invites vulnerable?
No. Out of caution, you can opt to rotate these links if you suspect they may have been intercepted.
Who can see the invite links?
Only those with the Owner role, Manager role, or the recipient of the invite can see the link.
Is there anything else I can do to secure my organization?
- Regularly review user membership of your organization (Organization Settings > Members) and remove stale accounts.
- Sentry SaaS customers can use this link to directly access Members in the organization settings.
- Ensure users have the correct roles assigned to them.
- Enable 2FA on your account.
- To learn how to require 2FA for users accessing your organization, refer to our documentation here.
All the help you could dream of
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.