Unsafe Decompression Vulnerability in OpenTelemetry Collector Could Lead to Crash
CVE-2024-36129

7.5HIGH

Key Information:

Vendor: OpenTelemetry
Status: Opentelemetry Collector; Confighttp; Configgrpc
Vendor: CVE Published:; 5 June 2024

🔔 Create OpenTelemetry Vulnerability Alert

What is CVE-2024-36129?

The OpenTelemetry Collector implements a vendor-agnostic framework for processing and exporting telemetry data. This vulnerability allows unauthenticated attackers to exploit unsafe decompression mechanisms within the collector, leading to significant memory consumption and potential crashes of the service. Affected versions prior to 0.102.1 for the OpenTelemetry Collector, and versions prior to 0.102.0 for the confighttp module and 0.102.1 for the configgrpc module, are particularly vulnerable. It is critical for users operating these versions to apply the recommended updates to mitigate risks associated with this vulnerability.

References

https://github.com/open-telemetry/opentelemetry-collector...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2024