GHSA-g92j-qhmh-64v2

Опубликовано: 18 июл. 2024

Источник: github

Github: Прошло ревью

CVSS4: 1.8

CVSS3: 2.5

Описание

Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"}) b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={}) b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

Disable Stdlib integration:

import sentry_sdk # Should go before sentry_sdk.init sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration") sentry_sdk.init(...)

References

Sentry docs: Default integrations
Python docs: subprocess module
Patch https://github.com/getsentry/sentry-python/pull/3251

Ссылки

Пакеты

Наименование

sentry-sdk

pip

Затронутые версииВерсия исправления

>= 2.0.0a1, < 2.8.0

2.8.0

Наименование

sentry-sdk

pip

Затронутые версииВерсия исправления

< 1.45.1

1.45.1

EPSS

Процентиль: 8%

0.0003

Низкий

1.8 Low

CVSS4

2.5 Low

CVSS3

CVE ID

CVE-2024-40647

Дефекты

CWE-200

Связанные уязвимости

CVE-2024-40647

CVSS3: 5.3

ubuntu

больше 1 года назад

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the `env={}` setting. In Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead. The issue has been patched in pull request #3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, you can disable all default integrations.