CVE-2023-45142Allocation of Resources Without Limits or Throttling in Opentelemetry-go-contrib

CWE-770Allocation of Resources Without Limits or Throttling8 documents6 sources
Severity
7.5HIGHNVD
EPSS
1.2%
top 21.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
33
Open-telemetry Opentelemetry-go-contribGo.opentelemetry.io Contrib Instrumentation Github.com Emicklei Go-restful OtelrestfulGo.opentelemetry.io Contrib Instrumentation Github.com Gin-gonic GIN Otelgin+30 more
Timeline
PublishedOct 12
Latest updateApr 15

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method`

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages33 packages

🔴Vulnerability Details

4
OSV
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics2023-10-16
OSV
Memory exhaustion in go.opentelemetry.io/contrib/instrumentation2023-10-16
GHSA
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics2023-10-16
OSV
CVE-2023-45142: OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go2023-10-12

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: Observability Services Overlay (Prometheus) — CVE-2023-451422024-04-15
Red Hat
opentelemetry: DoS vulnerability in otelhttp2023-10-12
Microsoft
OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics2023-10-10