UBUNTU-CVE-2024-40647

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-40647

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-40647.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-40647

Related

CVE-2024-40647

Published

2024-07-18T17:15:00Z

Modified

2024-10-15T14:15:25Z

Summary

[none]

Details

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the env={} setting. In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead. The issue has been patched in pull request #3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, you can disable all default integrations.

References

Affected packages

Ubuntu:20.04:LTS / sentry-python

Package

Name: sentry-python
Purl: pkg:deb/ubuntu/sentry-python?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.12.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / sentry-python

Package

Name: sentry-python
Purl: pkg:deb/ubuntu/sentry-python?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.13.2-1

1.*

1.4.3-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / sentry-python

Package

Name: sentry-python
Purl: pkg:deb/ubuntu/sentry-python?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.39.2-0.1

1.40.4-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / sentry-python

Package

Name: sentry-python
Purl: pkg:deb/ubuntu/sentry-python?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.9.10-2

1.39.2-0.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}