DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics
CVE-2023-47108

7.5HIGH

Key Information:

Vendor

Open-telemetry

Status
Opentelemetry-go-contrib
Vendor
CVE Published:
10 November 2023

What is CVE-2023-47108?

A vulnerability exists in OpenTelemetry-Go Contrib prior to version 0.46.0, related to the gRPC Unary Server Interceptor that exposes unbound cardinality labels, specifically net.peer.sock.addr and net.peer.sock.port. This flaw can lead to memory exhaustion on the server side, potentially allowing attackers to overload the server with numerous malicious requests, resulting in resource depletion. To mitigate this issue, users are advised to upgrade to version 0.46.0 or implement workarounds such as using a view to remove the offending attributes or disabling gRPC metrics instrumentation.

Affected Version(s)

opentelemetry-go-contrib >= 0.37.0, < 0.46.0

References

https://github.com/open-telemetry/opentelemetry-go-contri...
x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-go-contri...
x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-go-contri...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.