CVE-2024-40647: Sentry's Python SDK unintentionally exposes environment variables to subprocesses
The bug in Sentry’s Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.
References
- docs.python.org/3/library/subprocess.html
- docs.sentry.io/platforms/python/integrations/default-integrations
- docs.sentry.io/platforms/python/integrations/default-integrations/
- github.com/advisories/GHSA-g92j-qhmh-64v2
- github.com/getsentry/sentry-python
- github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
- github.com/getsentry/sentry-python/pull/3251
- github.com/getsentry/sentry-python/releases/tag/2.8.0
- github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
- nvd.nist.gov/vuln/detail/CVE-2024-40647
Detect and mitigate CVE-2024-40647 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →