Sentry Cross-Organization Insecure Direct Object Reference Vulnerability

A cross-organization Insecure Direct Object Reference (IDOR) vulnerability has been identified in Sentry versions prior to 26.1.0, specifically within the GroupEventJsonView endpoint. This vulnerability allows authenticated users with 'event:read' permission to access event data from other organizations by manipulating the 'group_id' parameter while keeping their organization slug in the URL path. The issue arises because the endpoint does not properly enforce organization-level permission checks when retrieving group data, leading to unauthorized access across organizational boundaries.

Impact

Exploitation of this vulnerability allows for unauthorized access to event data from other organizations, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, create two users from different organizations. The 'attacker' user can access event data from the 'victim' organization by sending a request to the GroupEventJsonView endpoint with the victim's group ID, while using their own organization's slug in the URL.

Remediation

Users can update to Sentry version 26.1.0 or later, where this vulnerability has been patched.