CVE-2024-40647 Unintentional exposure of environment variables to subprocesses in sentry-sdk

2024-07-1816:51:23

CWE-200

GitHub_M

www.cve.org

cve-2024-40647

sentry.io

python sdk

bug

environment variables

subprocess

security risk

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

EPSS

Percentile

10.6%

JSON

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry’s Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the env={} setting. In Python’s subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead. The issue has been patched in pull request #3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading to the latest SDK version. However, if it’s not possible, and if passing environment variables to child processes poses a security risk for you, you can disable all default integrations.

CNA Affected

[
  {
    "vendor": "getsentry",
    "product": "sentry-python",
    "versions": [
      {
        "version": "< 2.8.0",
        "status": "affected"
      }
    ]
  }
]