Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2023-47108

Опубликовано: 10 нояб. 2023
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS3: 7.5

Описание

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.

РелизСтатусПримечание
devel

needs-triage

esm-infra/focal

DNE

focal

DNE

jammy

DNE

mantic

DNE

noble

DNE

oracular

ignored

end of life, was needs-triage
plucky

needs-triage

questing

needs-triage

upstream

needs-triage

Показывать по

Ссылки на источники

EPSS

Процентиль: 85%
0.02678
Низкий

7.5 High

CVSS3

Связанные уязвимости

CVSS3: 7.5
redhat
почти 2 года назад

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

CVSS3: 7.5
nvd
почти 2 года назад

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

CVSS3: 7.5
msrc
почти 2 года назад

Описание отсутствует

CVSS3: 7.5
github
почти 2 года назад

otelgrpc DoS vulnerability due to unbound cardinality metrics

CVSS3: 7.5
fstec
почти 2 года назад

Уязвимость набора дополнительных инструментов и библиотек для языка Go, предназначенных для интеграции с OpenTelemetry, OpenTelemetry-Go Contrib, связанная с распределением ресурсов без ограничений и регулирования, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 85%
0.02678
Низкий

7.5 High

CVSS3