CVE-2022-23485 FAQs

Details

With a known valid invite link (i.e. not already accepted or expired) an unauthenticated attacker can manipulate the cookie to allow the same invite link to be reused on multiple accounts when joining an organization.

Where can I find details of the CVE?

You can find details in our Github Security Advisory.

Do I need to take any action?

No action is necessary for Sentry SaaS users.

Self-hosted Sentry installs should upgrade to version 22.11.0 or higher. As a workaround, administrators can disable the invite functionality until they are ready to deploy the patched version by editing their sentry.conf.py file (usually located at ~/.sentry/).

1. Add the following line into sentry.conf.py:

    SENTRY_FEATURES["organizations:invite-members"] = False
   Click to Copy

Are invite links I sent in the past vulnerable?

No. Past invite links that have already been accepted or expired are not vulnerable.

Are current pending invites vulnerable?

No. Out of caution, you can opt to rotate these links if you suspect they may have been intercepted.

Who can see the invite links?

Only those with the Owner role, Manager role, or the recipient of the invite can see the link.

Is there anything else I can do to secure my organization?

1. Regularly review user membership of your organization (Organization Settings > Members) and remove stale accounts.
   • Sentry SaaS customers can use this link to directly access Members in the organization settings.
2. Ensure users have the correct roles assigned to them.
3. Enable 2FA on your account.
   • To learn how to require 2FA for users accessing your organization, refer to our documentation here.