fkie_cve-2024-36129
Vulnerability from fkie_nvd
Published
2024-06-05 18:15
Modified
2024-11-21 09:21
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
References
security-advisories@github.comhttps://github.com/open-telemetry/opentelemetry-collector/pull/10289Patch
security-advisories@github.comhttps://github.com/open-telemetry/opentelemetry-collector/pull/10323Patch
security-advisories@github.comhttps://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4vExploit, Third Party Advisory
security-advisories@github.comhttps://opentelemetry.io/blog/2024/cve-2024-36129Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/open-telemetry/opentelemetry-collector/pull/10289Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/open-telemetry/opentelemetry-collector/pull/10323Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4vExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://opentelemetry.io/blog/2024/cve-2024-36129Vendor Advisory
Impacted products
Vendor Product Version
opentelemetry configgrpc *
opentelemetry confighttp *
opentelemetry opentelemetry_collector *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:opentelemetry:configgrpc:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "327CE873-41EC-401C-AF22-0A179C4A37D0",
              "versionEndExcluding": "0.102.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:opentelemetry:confighttp:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "13F55EF7-B8F7-4344-BE0C-C8129E57A306",
              "versionEndExcluding": "0.102.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:opentelemetry:opentelemetry_collector:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F3C518A-75AF-4A34-83DF-9FCB346FE5EF",
              "versionEndExcluding": "0.102.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue.  It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.\n"
    },
    {
      "lang": "es",
      "value": "OpenTelemetry Collector ofrece una implementaci\u00f3n independiente del proveedor sobre c\u00f3mo recibir, procesar y exportar datos de telemetr\u00eda. Una vulnerabilidad de descompresi\u00f3n insegura permite a atacantes no autenticados bloquear el recopilador mediante un consumo excesivo de memoria. La versi\u00f3n 0.102.1 de OTel Collector soluciona este problema. Tambi\u00e9n est\u00e1 corregido en la versi\u00f3n 0.102.0 del m\u00f3dulo confighttp y en la versi\u00f3n 0.102.1 del m\u00f3dulo configgrpc."
    }
  ],
  "id": "CVE-2024-36129",
  "lastModified": "2024-11-21T09:21:40.733",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-06-05T18:15:10.833",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://opentelemetry.io/blog/2024/cve-2024-36129"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://opentelemetry.io/blog/2024/cve-2024-36129"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.