| modules: |
| - module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp |
| versions: |
| - introduced: 0.38.0 |
| fixed: 0.39.0 |
| vulnerable_at: 0.38.0 |
| packages: |
| - package: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp |
| symbols: |
| - Handler.ServeHTTP |
| summary: Denial-of-service for high-cardinality metrics in otelhttp |
| description: | |
| The otelhttp package of opentelemetry-go-contrib is vulnerable to a |
| denial-of-service attack. |
| |
| The otelhttp package uses the httpconv.ServerRequest function to annotate |
| metric measurements for the http.server.request_content_length, |
| http.server.response_content_length, and http.server.duration |
| instruments. The ServerRequest function sets the http.target attribute |
| value to be the whole request URI (including the query string). The metric |
| instruments do not "forget" previous measurement attributes when |
| "cumulative" temporality is used, meaning that the cardinality of the |
| measurements allocated is directly correlated with the unique URIs handled. |
| If the query string is constantly random, this will result in a constant |
| increase in memory allocation that can be used in a denial-of-service |
| attack. |
| cves: |
| - CVE-2023-25151 |
| ghsas: |
| - GHSA-5r5m-65gx-7vrh |
| references: |
| - advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh |
