blob: 536372e5d49bba55f68558c517cc4192dc75a185 [file] [log] [blame]
id: GO-2023-1546
modules:
- module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
versions:
- introduced: 0.38.0
fixed: 0.39.0
vulnerable_at: 0.38.0
packages:
- package: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
symbols:
- Handler.ServeHTTP
summary: |-
Denial of service in
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
description: |-
The otelhttp package of opentelemetry-go-contrib is vulnerable to a
denial-of-service attack.
The otelhttp package uses the httpconv.ServerRequest function to annotate metric
measurements for the http.server.request_content_length,
http.server.response_content_length, and http.server.duration instruments. The
ServerRequest function sets the http.target attribute value to be the whole
request URI (including the query string). The metric instruments do not "forget"
previous measurement attributes when "cumulative" temporality is used, meaning
that the cardinality of the measurements allocated is directly correlated with
the unique URIs handled. If the query string is constantly random, this will
result in a constant increase in memory allocation that can be used in a
denial-of-service attack.
cves:
- CVE-2023-25151
ghsas:
- GHSA-5r5m-65gx-7vrh
references:
- advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh