CVE-2024-40647Sensitive Information Exposure in Sentry-python

CWE-200Sensitive Information Exposure6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 91.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Getsentry Sentry-pythonDebian Sentry-pythonMsrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0
Timeline
PublishedJul 18

Description

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the `env={}` setting. In Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default)

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:NExploitability: 0.8 | Impact: 4.0

Affected Packages4 packages

debiandebian/sentry-python< sentry-python 2.16.0-1 (forky)
CVEListV5getsentry/sentry-python< 2.8.0
Debiangetsentry/sentry-python< 2.16.0-1+1

🔴Vulnerability Details

3
OSV
Sentry's Python SDK unintentionally exposes environment variables to subprocesses2024-07-18
GHSA
Sentry's Python SDK unintentionally exposes environment variables to subprocesses2024-07-18
OSV
CVE-2024-40647: sentry-sdk is the official Python SDK for Sentry2024-07-18

📋Vendor Advisories

2
Microsoft
Unintentional exposure of environment variables to subprocesses in sentry-sdk2024-07-09
Debian
CVE-2024-40647: sentry-python - sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SD...2024
CVE-2024-40647 — Sensitive Information Exposure | cvebase