Vulnerability Details : CVE-2023-25151
opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` uses the `httpconv.ServerRequest` function to annotate metric measurements for the `http.server.request_content_length`, `http.server.response_content_length`, and `http.server.duration` instruments. The `ServerRequest` function sets the `http.target` attribute value to be the whole request URI (including the query string)[^1]. The metric instruments do not "forget" previous measurement attributes when `cumulative` temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack. This issue has been addressed in version 0.39.0. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability category: Denial of service
Products affected by CVE-2023-25151
- cpe:2.3:a:linuxfoundation:opentelemetry-go_contrib:0.38.0:*:*:*:*:opentelemetry-go:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25151
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25151
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-25151
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-25151
-
https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159
opentelemetry-go/http.go at v1.12.0 · open-telemetry/opentelemetry-go · GitHubVendor Advisory
-
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
DoS vulnerability for high cardinality metrics in otelhttp and otelbeego · Advisory · open-telemetry/opentelemetry-go-contrib · GitHubExploit;Vendor Advisory
Jump to