Back

CVE-2024-40647

July 18, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

sentry-sdk

  • <2.8.0

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-200
2024-07-18
CVE-2024-40647

CVE-2024-40647 details

Published : July 18, 2024, 5:15 p.m.
Last Modified : July 18, 2024, 5:15 p.m.

Description

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the `env={}` setting. In Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead. The issue has been patched in pull request #3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, you can disable all default integrations.

CVSS Score

1 2 3 4 5.3 6 7 8 9 10

Weakness

Weakness Name Description
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVSS Data

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score

5.3

Exploitability Score

0.8

Impact Score

4.0

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

References

URL Source
https://docs.python.org/3/library/subprocess.html security-advisories@github.com
https://docs.sentry.io/platforms/python/integrations/default-integrations security-advisories@github.com
https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib security-advisories@github.com
https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff security-advisories@github.com
https://github.com/getsentry/sentry-python/pull/3251 security-advisories@github.com
https://github.com/getsentry/sentry-python/releases/tag/2.8.0 security-advisories@github.com
https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.