Skip to content

CVE-2023-36829

This is a writeup for CVE 2023-36829. My first CVE.

Explanation

CORS

Cross-Origin Resource Sharing is a browser mechanism that enables controlled access to resources outside a given domain.

Further reading

https://portswigger.net/web-security/cors#what-is-cors-cross-origin-resource-sharing

Same-Origin Policy

The Same-Origin Policy is a mechanism that prevents domain A from carrying actions on domain B.

Further reading

https://portswigger.net/web-security/cors/same-origin-policy

SOP + CORS

CORS specifies how SOP can be relaxed so domain A can carry actions on domain B.

CORS Headers

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials

The first response header specifies which domain A (or domains) are allowed to perform actions on domain B. The second response header specifies if that domain A is allowed to perform actions that require credentials on domain B.

There are more headers but these are the most interesting for this CVE.

Usually, the access-control-allow-origin header will parse the domain sent in the http request with the Origin header, and deduce if that origin is allowed or not.

The CVE

The sentry.io CORS policy was to permissive: An attacker could force sentry.io to execute a cross-origin action that requires credentials by registering a domain ending in sentry.io.

Eg: attacker-sentry.io

Testing for the CVE

After changing the Origin header of an http request to test-sentry.io, the http response included the Access-Control-Allow-Credentials: true http header. It was possible to execute actions with credentials from that domain to sentry.io.

Restrictions

Most modern browsers include cross-site cookie blocking. This attack would require some type of browser configuration tampering that allows cross-site cookies.

Conclusion

Testing for permisse CORS configurations is essential even with cross-site cookies blocked. Its possible a user utilizes a browser that allows those cookies, or an attacker can bypass the cross-site cookies restrictions itself.

CWE

CWE-942: Permissive Cross-domain Policy with Untrusted Domains

CVSS3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Sentry.io advisory

https://github.com/getsentry/sentry/security/advisories/GHSA-4xqm-4p72-87h6