CVE-2024-40647: 
Python vulnerability analysis and mitigation

A vulnerability in Sentry's Python SDK versions prior to 2.8.0 allows environment variables to be passed to subprocesses despite the env={} setting. The issue was discovered and disclosed in July 2024, affecting applications using the Sentry Python SDK with the Stdlib integration enabled (which is enabled by default). The vulnerability is tracked as CVE-2024-40647 (GitHub Advisory).

In Python's subprocess module, environment variables are passed to subprocesses by default. While developers can use the env argument in subprocess calls to control this behavior, setting env={} to prevent environment variable inheritance, the bug in Sentry SDK causes all environment variables to be passed regardless when the Stdlib integration is enabled. This occurs because during the arguments modification to subprocess.Popen.init, an explicitly empty environment of {} is incorrectly confused with a None environment, causing Sentry to pass the entire environment of the parent process instead of just the injected environment variables. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability can lead to unintended exposure of sensitive environment variables to subprocess calls, even when explicitly configured not to do so. This could potentially expose sensitive information such as API keys, credentials, or other confidential data stored in environment variables to child processes that should not have access to them (GitHub Advisory).

The issue has been patched in sentry-sdk version 2.8.0 and backported to version 1.45.1. For users unable to upgrade, two workarounds are available: 1) Replace env={} with a minimal dict like env={"EMPTY_ENV":"1"}, or 2) Disable the Stdlib integration by removing it from the default integrations before initializing Sentry. The recommended approach is to upgrade to the latest SDK version (GitHub Advisory).