CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 1CVE-2024-36129 – OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
https://notcve.org/view.php?id=CVE-2024-36129
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1. OpenTelemetry Collector ofrece una implementación independiente del proveedor sobre cómo recibir, procesar y exportar datos de telemetría. • https://github.com/open-telemetry/opentelemetry-collector/pull/10289 https://github.com/open-telemetry/opentelemetry-collector/pull/10323 https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v https://opentelemetry.io/blog/2024/cve-2024-36129 https://access.redhat.com/security/cve/CVE-2024-36129 https://bugzilla.redhat.com/show_bug.cgi?id=2291337 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47108 – DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics
https://notcve.org/view.php?id=CVE-2023-47108
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. • https://github.com/bahe-msft/govuln-CVE-2023-47108 https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327 https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138 https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b https://github.com/open-telemet • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45142 – OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics
https://notcve.org/view.php?id=CVE-2023-45142
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. • https://github.com/advisories/GHSA-cg3q-j54f-5p7p https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65 https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277 https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0 https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh https://github.com/open-telemetry/opentelemetry-go-contrib/security/ • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43810 – opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
https://notcve.org/view.php?id=CVE-2023-43810
OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. • https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0 https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v • CWE-400: Uncontrolled Resource Consumption •