2.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-40647

GHSA ID

GHSA-g92j-qhmh-64v2

EPSS Score

0.04501%

CWE

CWE-200

Published

7/18/2024

Updated

8/5/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-40647

CVE-2024-40647: Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

Disable Stdlib integration:

import sentry_sdk

# Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)

References

Sentry docs: Default integrations
Python docs: subprocess module
Patch https://github.com/getsentry/sentry-python/pull/3251

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-40647

CVE-2024-40647:

2.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-40647

GHSA ID

GHSA-g92j-qhmh-64v2

EPSS Score

0.04501%

CWE

CWE-200

Published

7/18/2024

Updated

8/5/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sentry-sdk	pip	< 2.8.0	2.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is described as the Sentry Python SDK unintentionally exposing environment variables to subprocesses when env={} is used in subprocess calls, if the Stdlib integration is enabled. The provided patch (commit 763e40aa4cb57ecced467f48f78f335c87e9bdff) modifies the sentry_patched_popen_init function within sentry_sdk/integrations/stdlib.py. This function is responsible for patching subprocess.Popen.__init__. The specific change from lambda x: dict(x or os.environ) to lambda x: dict(x if x is not None else os.environ) directly addresses the bug. The old logic (x or os.environ) would cause an empty env={} (which is falsy) to be replaced by os.environ, thus leaking all environment variables. The sentry_patched_popen_init function is therefore the direct location of the vulnerable code logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-40647: Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Impact

Details

Patches

Workarounds

References

CVE-2024-40647:

2.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2024-40647: Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Impact

Details

Patches

Workarounds

References

Technical Details

2.5

2.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI