CVE-2024-40647 – Unintentional exposure of environment variables to subprocesses in sentry-sdk

https://notcve.org/view.php?id=CVE-2024-40647

18 Jul 2024 — sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's Python SDK < 2.8.0 allows the environment variables to be passed to subprocesses despite the `env={}` setting. In Python's `subprocess` calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use `env` argument in `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib integration enabled (which is enabled by default), this expec... • https://docs.python.org/3/library/subprocess.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •