data/reports/GO-2023-1546.yaml - vulndb - Git at Google

 id: GO-2023-1546
 modules:
     - module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
       versions:
         - introduced: 0.38.0
           fixed: 0.39.0
       vulnerable_at: 0.38.0
       packages:
         - package: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
           symbols:
             - Handler.ServeHTTP
 summary: Denial-of-service for high-cardinality metrics in otelhttp
 description: |
     The otelhttp package of opentelemetry-go-contrib is vulnerable to a
     denial-of-service attack.

     The otelhttp package uses the httpconv.ServerRequest function to annotate
     metric measurements for the http.server.request_content_length,
     http.server.response_content_length, and http.server.duration
     instruments. The ServerRequest function sets the http.target attribute
     value to be the whole request URI (including the query string). The metric
     instruments do not "forget" previous measurement attributes when
     "cumulative" temporality is used, meaning that the cardinality of the
     measurements allocated is directly correlated with the unique URIs handled.
     If the query string is constantly random, this will result in a constant
     increase in memory allocation that can be used in a denial-of-service
     attack.
 cves:
     - CVE-2023-25151
 ghsas:
     - GHSA-5r5m-65gx-7vrh
 references:
     - advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
	id: GO-2023-1546
	modules:
	- module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
	versions:
	- introduced: 0.38.0
	fixed: 0.39.0
	vulnerable_at: 0.38.0
	packages:
	- package: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
	symbols:
	- Handler.ServeHTTP
	summary: Denial-of-service for high-cardinality metrics in otelhttp
	description: \|
	The otelhttp package of opentelemetry-go-contrib is vulnerable to a
	denial-of-service attack.

	The otelhttp package uses the httpconv.ServerRequest function to annotate
	metric measurements for the http.server.request_content_length,
	http.server.response_content_length, and http.server.duration
	instruments. The ServerRequest function sets the http.target attribute
	value to be the whole request URI (including the query string). The metric
	instruments do not "forget" previous measurement attributes when
	"cumulative" temporality is used, meaning that the cardinality of the
	measurements allocated is directly correlated with the unique URIs handled.
	If the query string is constantly random, this will result in a constant
	increase in memory allocation that can be used in a denial-of-service
	attack.
	cves:
	- CVE-2023-25151
	ghsas:
	- GHSA-5r5m-65gx-7vrh
	references:
	- advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh