Skip to content

datadog/dd-trace Circumvents open_basedir INI directive

Low severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database

Package

composer datadog/dd-trace (Composer)

Affected versions

>= 0.30.0, < 0.30.2

Patched versions

0.30.2

Description

datadog/dd-trace versions 0.30.0 prior to 0.30.2 are affected by a security and stability issue outlined in PR #579. This pull request ensures that the ddtrace.request_init_hook remains bound by the open_basedir INI directive, effectively addressing potential vulnerabilities related to open_basedir restrictions.
The update introduces a sandboxing mechanism to isolate the request init hook from errors or exceptions during execution, enhancing the library's stability and preventing adverse impacts on the main script.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-qvgg-r6rq-vwfx

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.