Vulners
Lucene search
Linux Distros Unpatched Vulnerability : CVE-2023-28117
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | py39-sentry-sdk -- sensitive cookies leak | 21 Mar 202300:00 | – | freebsd |
 | CVE-2023-28117 | 22 Mar 202323:36 | – | circl |
 | Sentry 安全漏洞 | 22 Mar 202300:00 | – | cnnvd |
 | CVE-2023-28117 | 22 Mar 202319:37 | – | cve |
 | CVE-2023-28117 Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True` | 22 Mar 202319:37 | – | cvelist |
 | EUVD-2023-0828 | 3 Oct 202520:07 | – | euvd |
 | FreeBSD : py39-sentry-sdk -- sensitive cookies leak (15dae5cc-9ee6-4577-a93e-2ab57780e707) | 14 Apr 202300:00 | – | nessus |
 | Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True` | 21 Mar 202322:31 | – | github |
 | CVE-2023-28117 | 22 Mar 202320:15 | – | nvd |
 | CVE-2023-28117 Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True` | 22 Mar 202319:37 | – | osv |
10
| Source | Link |
|---|---|
| ubuntu | www.ubuntu.com/security/CVE-2023-28117 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(262182);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/29");
script_cve_id("CVE-2023-28117");
script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2023-28117");
script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.
- Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the
Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is
possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies
could then be used by someone with access to your Sentry issues to impersonate or escalate their
privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK
configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either
`SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in
one's organization or project settings to use Sentry's data scrubbing features to account for the custom
cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom
cookie names based on one's Django settings and will remove the values from the payload before sending the
data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload
that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for
performance related events (transactions) one can use the `before_send_transaction` callback method. Those
who want to handle filtering of these values on the server-side can also use Sentry's advanced data
scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`,
`$request.cookies`, or `$request.headers` fields to target with a scrubbing rule. (CVE-2023-28117)
Note that Nessus relies on the presence of the package as reported by the vendor.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2023-28117");
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-28117");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:sentry-python");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
script_require_ports("Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.04", "Host/OS/Ubuntu Linux-25.10");
exit(0);
}
if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);
include('linux_unpatched.inc');
var distro_constraints_array = {
"Ubuntu Linux-20.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "20.04",
"pkgs": [
{"reference": "sentry-python"}
]
}
]
},
"Ubuntu Linux-22.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "22.04",
"pkgs": [
{"reference": "sentry-python"}
]
}
]
},
"Ubuntu Linux-24.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "24.04",
"pkgs": [
{"reference": "sentry-python"}
]
}
]
},
"Ubuntu Linux-25.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.04",
"pkgs": [
{"reference": "sentry-python"}
]
}
]
},
"Ubuntu Linux-25.10": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.10",
"pkgs": [
{"reference": "sentry-python"}
]
}
]
}
};
var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);
if (!empty_or_null(report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : report
);
exit(0);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2026 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.16.5 - 7.6
EPSS0.00398
SSVC