CVE-2024-40647

2024-07-1800:00:00

ubuntu.com

sentry

python sdk

bug

environment

variables

subprocess

security risk

integration

patch

unix

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

7.2

Confidence

Low

JSON

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry’s
Python SDK < 2.8.0 allows the environment variables to be passed to
subprocesses despite the env={} setting. In Python’s subprocess calls,
all environment variables are passed to subprocesses by default. However,
if you specifically do not want them to be passed to subprocesses, you may
use env argument in subprocess calls. Due to the bug in Sentry SDK,
with the Stdlib integration enabled (which is enabled by default), this
expectation is not fulfilled, and all environment variables are being
passed to subprocesses instead. The issue has been patched in pull request
#3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading
to the latest SDK version. However, if it’s not possible, and if passing
environment variables to child processes poses a security risk for you, you
can disable all default integrations.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchsentry-python< anyUNKNOWN
ubuntu22.04noarchsentry-python< anyUNKNOWN
ubuntu24.04noarchsentry-python< anyUNKNOWN