DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib
CVE-2023-25151

7.5HIGH

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-go-contrib
Vendor: CVE Published:; 8 February 2023

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2023-25151?

The OpenTelemetry-Go Contrib extensions' v0.38.0 release contains a vulnerability in the httpconv.ServerRequest function, where the http.target attribute value is set to the complete request URI including the query string. This design flaw does not release previous measurement attributes when using cumulative temporality, leading to increased memory allocation when unique URIs are frequently utilized. As a result, this behavior can be exploited in a denial-of-service attack. The issue has been resolved in version 0.39.0, and users are encouraged to upgrade promptly. No workarounds exist for this vulnerability.

Affected Version(s)

opentelemetry-go-contrib >= 0.38.0, < 0.39.0

References

https://github.com/open-telemetry/opentelemetry-go-contri...

x_refsource_CONFIRM

https://github.com/open-telemetry/opentelemetry-go/blob/v...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Feb 3, 2023

CVE-2023-25151 Data

JSON