nPinA-pi-network icon indicating copy to clipboard operation
nPinA-pi-network copied to clipboard

Published 20 hours ago verified publisher icon KOSASIH

sentry_sdk-1.14.0-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.3)

Open mend-bolt-for-github[bot] opened this issue 1 year ago • 0 comments

Vulnerable Library - sentry_sdk-1.14.0-py2.py3-none-any.whl

Python client for Sentry (https://sentry.io)

Library home page: https://files.pythonhosted.org/packages/06/fa/cfc43276f3221006d861bf7e66d7361a47106121df65947fd3225793d845/sentry_sdk-1.14.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: c24b250c4fdd4b0bb57881f5f09e59a6f6a1a3b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sentry_sdk version) Remediation Possible**
CVE-2024-40647 Medium 5.3 sentry_sdk-1.14.0-py2.py3-none-any.whl Direct 1.45.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-40647

Vulnerable Library - sentry_sdk-1.14.0-py2.py3-none-any.whl

Python client for Sentry (https://sentry.io)

Library home page: https://files.pythonhosted.org/packages/06/fa/cfc43276f3221006d861bf7e66d7361a47106121df65947fd3225793d845/sentry_sdk-1.14.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • :x: sentry_sdk-1.14.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c24b250c4fdd4b0bb57881f5f09e59a6f6a1a3b5

Found in base branch: main

Vulnerability Details

sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the env={} setting. In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expectation is not fulfilled, and all environment variables are being passed to subprocesses instead. The issue has been patched in pull request #3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, you can disable all default integrations.

Publish Date: 2024-07-18

URL: CVE-2024-40647

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2

Release Date: 2024-07-18

Fix Resolution: 1.45.1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Aug 02 '24 18:08 mend-bolt-for-github[bot]