Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nOTJqLXFobWgtNjR2Ms4AA9_r
Sentry's Python SDK unintentionally exposes environment variables to subprocesses
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
Details
In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:
>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'
If you'd want to not pass any variables, you can set an empty dict:
>>> subprocess.check_output(["env"], env={})
b''
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.
Patches
The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
- In your application, replace
env={}with the minimal dictenv={"EMPTY_ENV":"1"}or similar.
OR
- Disable Stdlib integration:
import sentry_sdk
# Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")
sentry_sdk.init(...)
References
- Sentry docs: Default integrations
- Python docs: subprocess module
- Patch https://github.com/getsentry/sentry-python/pull/3251
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOTJqLXFobWgtNjR2Ms4AA9_r
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 months ago
Updated: about 2 months ago
CVSS Score: 2.5
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Identifiers: GHSA-g92j-qhmh-64v2, CVE-2024-40647
References:
- https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
- https://github.com/getsentry/sentry-python/pull/3251
- https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
- https://docs.python.org/3/library/subprocess.html
- https://docs.sentry.io/platforms/python/integrations/default-integrations
- https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib
- https://github.com/getsentry/sentry-python/releases/tag/2.8.0
- https://nvd.nist.gov/vuln/detail/CVE-2024-40647
- https://github.com/advisories/GHSA-g92j-qhmh-64v2
Blast Radius: 10.3
Affected Packages
pypi:sentry-sdk
Dependent packages: 504Dependent repositories: 13,068
Downloads: 40,061,266 last month
Affected Version Ranges: < 2.8.0
Fixed in: 2.8.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.7.12, 0.7.13, 0.7.14, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.17.7, 0.17.8, 0.18.0, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.22.2, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.25.1, 1.26.0, 1.27.0, 1.27.1, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.33.1, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.39.0, 1.39.1, 1.39.2, 1.40.0, 1.40.1, 1.40.2, 1.40.3, 1.40.4, 1.40.5, 1.40.6, 1.41.0, 1.42.0, 1.43.0, 1.44.0, 1.44.1, 1.45.0, 1.45.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.7.1
All unaffected versions: 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0