ghsa-g92j-qhmh-64v2
Vulnerability from github
Published
2024-07-18 17:18
Modified
2024-07-26 21:44
Severity
2.5 (Low) - CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
1.8 (Low) - CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
Sentry's Python SDK unintentionally exposes environment variables to subprocesses
Details

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

```

subprocess.check_output(["env"], env={"TEST":"1"}) b'TEST=1\n' ```

If you'd want to not pass any variables, you can set an empty dict:

```

subprocess.check_output(["env"], env={}) b'' ```

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

  1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

  1. Disable Stdlib integration: ``` import sentry_sdk

Should go before sentry_sdk.init

sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...) ```

References

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T17:18:46Z",
    "nvd_published_at": "2024-07-18T17:15:05Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe bug in Sentry\u0027s Python SDK \u003c2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the `env={}` setting.\n\n### Details\n\nIn Python\u0027s `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls, like in this example:\n\n```\n\u003e\u003e\u003e subprocess.check_output([\"env\"], env={\"TEST\":\"1\"})\nb\u0027TEST=1\\n\u0027\n```\n\nIf you\u0027d want to not pass any variables, you can set an empty dict:\n\n```\n\u003e\u003e\u003e subprocess.check_output([\"env\"], env={})\nb\u0027\u0027\n```\n\nHowever, the bug in Sentry SDK \u003c2.8.0 causes **all environment variables** to be passed to the subprocesses when `env={}` is set, unless the Sentry SDK\u0027s [Stdlib](https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib) integration is disabled. The Stdlib integration is enabled by default.\n\n### Patches\nThe issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in [sentry-sdk==2.8.0](https://github.com/getsentry/sentry-python/releases/tag/2.8.0). The fix was also backported to [sentry-sdk==1.45.1](https://github.com/getsentry/sentry-python/releases/tag/1.45.1).\n\n### Workarounds\n\nWe strongly recommend upgrading to the latest SDK version. However, if it\u0027s not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:\n\n1. In your application, replace `env={}` with the minimal dict `env={\"EMPTY_ENV\":\"1\"}` or similar.\n\nOR\n\n2. Disable Stdlib integration:\n```\nimport sentry_sdk\n\n# Should go before sentry_sdk.init\nsentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove(\"sentry_sdk.integrations.stdlib.StdlibIntegration\")\n\nsentry_sdk.init(...)\n```\n\n### References\n* Sentry docs: [Default integrations](https://docs.sentry.io/platforms/python/integrations/default-integrations/)\n* Python docs: [subprocess module](https://docs.python.org/3/library/subprocess.html)\n* Patch https://github.com/getsentry/sentry-python/pull/3251 \n",
  "id": "GHSA-g92j-qhmh-64v2",
  "modified": "2024-07-26T21:44:41Z",
  "published": "2024-07-18T17:18:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40647"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-python/pull/3251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff"
    },
    {
      "type": "WEB",
      "url": "https://docs.python.org/3/library/subprocess.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.sentry.io/platforms/python/integrations/default-integrations"
    },
    {
      "type": "WEB",
      "url": "https://docs.sentry.io/platforms/python/integrations/default-integrations/#stdlib"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry-python"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-python/releases/tag/2.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sentry\u0027s Python SDK unintentionally exposes environment variables to subprocesses"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.