sentry-sdk 0.3.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the sentry-sdk package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Information Exposure Affected versions of this package are vulnerable to Information Exposure due to all environment variables being passed to the subprocesses when `env={}` is set. This vulnerability could lead to unintentional exposure of environment variables to subprocesses despite the `env={}` setting, unless the Sentry SDK's Stdlib integration is disabled. Note: The Stdlib integration is enabled by default. How to fix Information Exposure? Upgrade `sentry-sdk` to version 2.8.0 or higher.	[,2.8.0)
M Race Condition Affected versions of this package are vulnerable to Race Condition such that in some cases the `start_child` method can be called on the Transaction which `_span_recorder` has been already deleted from the instance. How to fix Race Condition? Upgrade `sentry-sdk` to version 1.4.1 or higher.	[,1.4.1)
M Information Exposure Affected versions of this package are vulnerable to Information Exposure in the Django integration, which leaks sensitive cookies values, including the session cookie to Sentry. An attacker with access to Sentry issues can use such cookies to escalate privileges within the application. Note: All of these conditions must be met for an application to be vulnerable: `sendDefaultPII` is set to `True`, which is not the default. `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` has a custom name in Django settings. Data scrubbing features are NOT being used to scrub the custom cookie names.. How to fix Information Exposure? Upgrade `sentry-sdk` to version 1.14.0 or higher.	[,1.14.0)

Vulnerability

Vulnerable Version

Information Exposure

Affected versions of this package are vulnerable to Information Exposure due to all environment variables being passed to the subprocesses when env={} is set. This vulnerability could lead to unintentional exposure of environment variables to subprocesses despite the env={} setting, unless the Sentry SDK's Stdlib integration is disabled.

Note:

The Stdlib integration is enabled by default.

How to fix Information Exposure?

Upgrade sentry-sdk to version 2.8.0 or higher.

[,2.8.0)

Race Condition

Affected versions of this package are vulnerable to Race Condition such that in some cases the start_child method can be called on the Transaction which _span_recorder has been already deleted from the instance.

How to fix Race Condition?

Upgrade sentry-sdk to version 1.4.1 or higher.

[,1.4.1)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure in the Django integration, which leaks sensitive cookies values, including the session cookie to Sentry. An attacker with access to Sentry issues can use such cookies to escalate privileges within the application.

Note:

All of these conditions must be met for an application to be vulnerable:

sendDefaultPII is set to True, which is not the default.
SESSION_COOKIE_NAME or CSRF_COOKIE_NAME has a custom name in Django settings.
Data scrubbing features are NOT being used to scrub the custom cookie names..

How to fix Information Exposure?

Upgrade sentry-sdk to version 1.14.0 or higher.

[,1.14.0)

sentry-sdk@0.3.0 vulnerabilities

Python client for Sentry (https://sentry.io)

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically