| id: GO-2023-1546 |
| modules: |
| - module: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp |
| versions: |
| - introduced: 0.38.0 |
| - fixed: 0.39.0 |
| vulnerable_at: 0.38.0 |
| packages: |
| - package: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp |
| symbols: |
| - Handler.ServeHTTP |
| summary: |- |
| Denial of service in |
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp |
| description: |- |
| The otelhttp package of opentelemetry-go-contrib is vulnerable to a |
| denial-of-service attack. |
| |
| The otelhttp package uses the httpconv.ServerRequest function to annotate metric |
| measurements for the http.server.request_content_length, |
| http.server.response_content_length, and http.server.duration instruments. The |
| ServerRequest function sets the http.target attribute value to be the whole |
| request URI (including the query string). The metric instruments do not "forget" |
| previous measurement attributes when "cumulative" temporality is used, meaning |
| that the cardinality of the measurements allocated is directly correlated with |
| the unique URIs handled. If the query string is constantly random, this will |
| result in a constant increase in memory allocation that can be used in a |
| denial-of-service attack. |
| cves: |
| - CVE-2023-25151 |
| ghsas: |
| - GHSA-5r5m-65gx-7vrh |
| related: |
| - CVE-2022-21698 |
| - CVE-2023-45142 |
| - GHSA-cg3q-j54f-5p7p |
| - GHSA-rcjv-mgp8-qvmr |
| references: |
| - advisory: https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh |
| review_status: REVIEWED |