csaf_suse - suse-su-2025:20091-1

suse-su-2025:20091-1

Vulnerability from csaf_suse

Published

2025-02-03 09:10

Modified

2025-02-03 09:10

Summary

Security update for containerd

Notes

Title of the patch

Security update for containerd

Description of the patch

This update for containerd fixes the following issues: - Update to containerd v1.7.21. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.21 Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Update to containerd v1.7.17. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.17 - Update to containerd v1.7.16. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.16 CVE-2023-45288 bsc#1221400 - Update to containerd v1.7.15. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.15 - Update to containerd v1.7.14. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.14 - Update to containerd v1.7.13. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.13 - Update to containerd v1.7.12. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.12 - Update to containerd v1.7.11. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.11 GHSA-jq35-85cj-fj4p bsc#1224323

Patchnames

SUSE-SLE-Micro-6.0-147

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for containerd",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for containerd fixes the following issues:\n\n- Update to containerd v1.7.21. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.21\n  Fixes CVE-2023-47108. bsc#1217070\n  Fixes CVE-2023-45142. bsc#1228553\n\n- Update to containerd v1.7.17. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.17\n\n- Update to containerd v1.7.16. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.16\n  CVE-2023-45288 bsc#1221400\n\n- Update to containerd v1.7.15. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.15\n\n- Update to containerd v1.7.14. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.14\n\n- Update to containerd v1.7.13. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.13\n\n- Update to containerd v1.7.12. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.12\n\n- Update to containerd v1.7.11. Upstream release notes:\n  https://github.com/containerd/containerd/releases/tag/v1.7.11\n  GHSA-jq35-85cj-fj4p bsc#1224323\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Micro-6.0-147",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20091-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:20091-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520091-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:20091-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021225.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1200528",
        "url": "https://bugzilla.suse.com/1200528"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1217070",
        "url": "https://bugzilla.suse.com/1217070"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221400",
        "url": "https://bugzilla.suse.com/1221400"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1224323",
        "url": "https://bugzilla.suse.com/1224323"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1228553",
        "url": "https://bugzilla.suse.com/1228553"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-1996 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-1996/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-45142 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-45142/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-45288 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-45288/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-47108 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-47108/"
      }
    ],
    "title": "Security update for containerd",
    "tracking": {
      "current_release_date": "2025-02-03T09:10:07Z",
      "generator": {
        "date": "2025-02-03T09:10:07Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:20091-1",
      "initial_release_date": "2025-02-03T09:10:07Z",
      "revision_history": [
        {
          "date": "2025-02-03T09:10:07Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.7.21-1.1.aarch64",
                "product": {
                  "name": "containerd-1.7.21-1.1.aarch64",
                  "product_id": "containerd-1.7.21-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.7.21-1.1.s390x",
                "product": {
                  "name": "containerd-1.7.21-1.1.s390x",
                  "product_id": "containerd-1.7.21-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "containerd-1.7.21-1.1.x86_64",
                "product": {
                  "name": "containerd-1.7.21-1.1.x86_64",
                  "product_id": "containerd-1.7.21-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Micro 6.0",
                "product": {
                  "name": "SUSE Linux Micro 6.0",
                  "product_id": "SUSE Linux Micro 6.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sl-micro:6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.7.21-1.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64"
        },
        "product_reference": "containerd-1.7.21-1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.7.21-1.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x"
        },
        "product_reference": "containerd-1.7.21-1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "containerd-1.7.21-1.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
        },
        "product_reference": "containerd-1.7.21-1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-1996",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-1996"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-1996",
          "url": "https://www.suse.com/security/cve/CVE-2022-1996"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200528 for CVE-2022-1996",
          "url": "https://bugzilla.suse.com/1200528"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T09:10:07Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2022-1996"
    },
    {
      "cve": "CVE-2023-45142",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-45142"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-45142",
          "url": "https://www.suse.com/security/cve/CVE-2023-45142"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1228553 for CVE-2023-45142",
          "url": "https://bugzilla.suse.com/1228553"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T09:10:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-45142"
    },
    {
      "cve": "CVE-2023-45288",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-45288"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-45288",
          "url": "https://www.suse.com/security/cve/CVE-2023-45288"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221400 for CVE-2023-45288",
          "url": "https://bugzilla.suse.com/1221400"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T09:10:07Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-45288"
    },
    {
      "cve": "CVE-2023-47108",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-47108"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
          "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-47108",
          "url": "https://www.suse.com/security/cve/CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1217070 for CVE-2023-47108",
          "url": "https://bugzilla.suse.com/1217070"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.aarch64",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.s390x",
            "SUSE Linux Micro 6.0:containerd-1.7.21-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T09:10:07Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-47108"
    }
  ]
}

CVE-2023-47108 (GCVE-0-2023-47108)

Vulnerability from cvelistv5

Published

2023-11-10 18:31

Modified

2024-09-03 17:26

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

References

►

URL

Tags

	https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw	x_refsource_CONFIRM
	https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138	x_refsource_MISC
	https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	open-telemetry	opentelemetry-go-contrib	Version: < 0.46.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:01:22.674Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
          },
          {
            "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-47108",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T17:26:16.403179Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T17:26:56.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go-contrib",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.46.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-10T18:31:33.730Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
        },
        {
          "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
        }
      ],
      "source": {
        "advisory": "GHSA-8pgv-569h-w5rw",
        "discovery": "UNKNOWN"
      },
      "title": "DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics "
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-47108",
    "datePublished": "2023-11-10T18:31:33.730Z",
    "dateReserved": "2023-10-30T19:57:51.673Z",
    "dateUpdated": "2024-09-03T17:26:56.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-45288 (GCVE-0-2023-45288)

Vulnerability from cvelistv5

Published

2024-04-04 20:37

Modified

2025-02-13 17:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400: Uncontrolled Resource Consumption

Summary

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

References

►

URL

Tags

	https://go.dev/issue/65051
	https://go.dev/cl/576155
	https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
	https://pkg.go.dev/vuln/GO-2024-2687
	https://security.netapp.com/advisory/ntap-20240419-0009/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
	http://www.openwall.com/lists/oss-security/2024/04/05/4
	http://www.openwall.com/lists/oss-security/2024/04/03/16

Impacted products

Vendor

Product

Version

►

Go standard library

net/http

Version: 0 ≤
Version: 1.22.0-0 ≤

golang.org/x/net

golang.org/x/net/http2

Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:21:15.329Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/65051"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/576155"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2024-2687"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:go_standard_library:net\\/http:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "net\\/http",
            "vendor": "go_standard_library",
            "versions": [
              {
                "lessThan": "1.21.9",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "1.22.2",
                "status": "affected",
                "version": "1.22.0-0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "http2",
            "vendor": "golang",
            "versions": [
              {
                "lessThan": "0.23.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-45288",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-05T17:08:42.212936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-26T20:40:01.996Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "http2Framer.readMetaFrame"
            },
            {
              "name": "CanonicalHeaderKey"
            },
            {
              "name": "Client.CloseIdleConnections"
            },
            {
              "name": "Client.Do"
            },
            {
              "name": "Client.Get"
            },
            {
              "name": "Client.Head"
            },
            {
              "name": "Client.Post"
            },
            {
              "name": "Client.PostForm"
            },
            {
              "name": "Cookie.String"
            },
            {
              "name": "Cookie.Valid"
            },
            {
              "name": "Dir.Open"
            },
            {
              "name": "Error"
            },
            {
              "name": "Get"
            },
            {
              "name": "HandlerFunc.ServeHTTP"
            },
            {
              "name": "Head"
            },
            {
              "name": "Header.Add"
            },
            {
              "name": "Header.Del"
            },
            {
              "name": "Header.Get"
            },
            {
              "name": "Header.Set"
            },
            {
              "name": "Header.Values"
            },
            {
              "name": "Header.Write"
            },
            {
              "name": "Header.WriteSubset"
            },
            {
              "name": "ListenAndServe"
            },
            {
              "name": "ListenAndServeTLS"
            },
            {
              "name": "NewRequest"
            },
            {
              "name": "NewRequestWithContext"
            },
            {
              "name": "NotFound"
            },
            {
              "name": "ParseTime"
            },
            {
              "name": "Post"
            },
            {
              "name": "PostForm"
            },
            {
              "name": "ProxyFromEnvironment"
            },
            {
              "name": "ReadRequest"
            },
            {
              "name": "ReadResponse"
            },
            {
              "name": "Redirect"
            },
            {
              "name": "Request.AddCookie"
            },
            {
              "name": "Request.BasicAuth"
            },
            {
              "name": "Request.FormFile"
            },
            {
              "name": "Request.FormValue"
            },
            {
              "name": "Request.MultipartReader"
            },
            {
              "name": "Request.ParseForm"
            },
            {
              "name": "Request.ParseMultipartForm"
            },
            {
              "name": "Request.PostFormValue"
            },
            {
              "name": "Request.Referer"
            },
            {
              "name": "Request.SetBasicAuth"
            },
            {
              "name": "Request.UserAgent"
            },
            {
              "name": "Request.Write"
            },
            {
              "name": "Request.WriteProxy"
            },
            {
              "name": "Response.Cookies"
            },
            {
              "name": "Response.Location"
            },
            {
              "name": "Response.Write"
            },
            {
              "name": "ResponseController.EnableFullDuplex"
            },
            {
              "name": "ResponseController.Flush"
            },
            {
              "name": "ResponseController.Hijack"
            },
            {
              "name": "ResponseController.SetReadDeadline"
            },
            {
              "name": "ResponseController.SetWriteDeadline"
            },
            {
              "name": "Serve"
            },
            {
              "name": "ServeContent"
            },
            {
              "name": "ServeFile"
            },
            {
              "name": "ServeMux.ServeHTTP"
            },
            {
              "name": "ServeTLS"
            },
            {
              "name": "Server.Close"
            },
            {
              "name": "Server.ListenAndServe"
            },
            {
              "name": "Server.ListenAndServeTLS"
            },
            {
              "name": "Server.Serve"
            },
            {
              "name": "Server.ServeTLS"
            },
            {
              "name": "Server.SetKeepAlivesEnabled"
            },
            {
              "name": "Server.Shutdown"
            },
            {
              "name": "SetCookie"
            },
            {
              "name": "Transport.CancelRequest"
            },
            {
              "name": "Transport.Clone"
            },
            {
              "name": "Transport.CloseIdleConnections"
            },
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "body.Close"
            },
            {
              "name": "body.Read"
            },
            {
              "name": "bodyEOFSignal.Close"
            },
            {
              "name": "bodyEOFSignal.Read"
            },
            {
              "name": "bodyLocked.Read"
            },
            {
              "name": "bufioFlushWriter.Write"
            },
            {
              "name": "cancelTimerBody.Close"
            },
            {
              "name": "cancelTimerBody.Read"
            },
            {
              "name": "checkConnErrorWriter.Write"
            },
            {
              "name": "chunkWriter.Write"
            },
            {
              "name": "connReader.Read"
            },
            {
              "name": "connectMethodKey.String"
            },
            {
              "name": "expectContinueReader.Close"
            },
            {
              "name": "expectContinueReader.Read"
            },
            {
              "name": "extraHeader.Write"
            },
            {
              "name": "fileHandler.ServeHTTP"
            },
            {
              "name": "fileTransport.RoundTrip"
            },
            {
              "name": "globalOptionsHandler.ServeHTTP"
            },
            {
              "name": "gzipReader.Close"
            },
            {
              "name": "gzipReader.Read"
            },
            {
              "name": "http2ClientConn.Close"
            },
            {
              "name": "http2ClientConn.Ping"
            },
            {
              "name": "http2ClientConn.RoundTrip"
            },
            {
              "name": "http2ClientConn.Shutdown"
            },
            {
              "name": "http2ConnectionError.Error"
            },
            {
              "name": "http2ErrCode.String"
            },
            {
              "name": "http2FrameHeader.String"
            },
            {
              "name": "http2FrameType.String"
            },
            {
              "name": "http2FrameWriteRequest.String"
            },
            {
              "name": "http2Framer.ReadFrame"
            },
            {
              "name": "http2Framer.WriteContinuation"
            },
            {
              "name": "http2Framer.WriteData"
            },
            {
              "name": "http2Framer.WriteDataPadded"
            },
            {
              "name": "http2Framer.WriteGoAway"
            },
            {
              "name": "http2Framer.WriteHeaders"
            },
            {
              "name": "http2Framer.WritePing"
            },
            {
              "name": "http2Framer.WritePriority"
            },
            {
              "name": "http2Framer.WritePushPromise"
            },
            {
              "name": "http2Framer.WriteRSTStream"
            },
            {
              "name": "http2Framer.WriteRawFrame"
            },
            {
              "name": "http2Framer.WriteSettings"
            },
            {
              "name": "http2Framer.WriteSettingsAck"
            },
            {
              "name": "http2Framer.WriteWindowUpdate"
            },
            {
              "name": "http2GoAwayError.Error"
            },
            {
              "name": "http2Server.ServeConn"
            },
            {
              "name": "http2Setting.String"
            },
            {
              "name": "http2SettingID.String"
            },
            {
              "name": "http2SettingsFrame.ForeachSetting"
            },
            {
              "name": "http2StreamError.Error"
            },
            {
              "name": "http2Transport.CloseIdleConnections"
            },
            {
              "name": "http2Transport.NewClientConn"
            },
            {
              "name": "http2Transport.RoundTrip"
            },
            {
              "name": "http2Transport.RoundTripOpt"
            },
            {
              "name": "http2bufferedWriter.Flush"
            },
            {
              "name": "http2bufferedWriter.Write"
            },
            {
              "name": "http2chunkWriter.Write"
            },
            {
              "name": "http2clientConnPool.GetClientConn"
            },
            {
              "name": "http2connError.Error"
            },
            {
              "name": "http2dataBuffer.Read"
            },
            {
              "name": "http2duplicatePseudoHeaderError.Error"
            },
            {
              "name": "http2gzipReader.Close"
            },
            {
              "name": "http2gzipReader.Read"
            },
            {
              "name": "http2headerFieldNameError.Error"
            },
            {
              "name": "http2headerFieldValueError.Error"
            },
            {
              "name": "http2noDialClientConnPool.GetClientConn"
            },
            {
              "name": "http2noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "http2pipe.Read"
            },
            {
              "name": "http2priorityWriteScheduler.CloseStream"
            },
            {
              "name": "http2priorityWriteScheduler.OpenStream"
            },
            {
              "name": "http2pseudoHeaderError.Error"
            },
            {
              "name": "http2requestBody.Close"
            },
            {
              "name": "http2requestBody.Read"
            },
            {
              "name": "http2responseWriter.Flush"
            },
            {
              "name": "http2responseWriter.FlushError"
            },
            {
              "name": "http2responseWriter.Push"
            },
            {
              "name": "http2responseWriter.SetReadDeadline"
            },
            {
              "name": "http2responseWriter.SetWriteDeadline"
            },
            {
              "name": "http2responseWriter.Write"
            },
            {
              "name": "http2responseWriter.WriteHeader"
            },
            {
              "name": "http2responseWriter.WriteString"
            },
            {
              "name": "http2roundRobinWriteScheduler.OpenStream"
            },
            {
              "name": "http2serverConn.CloseConn"
            },
            {
              "name": "http2serverConn.Flush"
            },
            {
              "name": "http2stickyErrWriter.Write"
            },
            {
              "name": "http2transportResponseBody.Close"
            },
            {
              "name": "http2transportResponseBody.Read"
            },
            {
              "name": "http2writeData.String"
            },
            {
              "name": "initALPNRequest.ServeHTTP"
            },
            {
              "name": "loggingConn.Close"
            },
            {
              "name": "loggingConn.Read"
            },
            {
              "name": "loggingConn.Write"
            },
            {
              "name": "maxBytesReader.Close"
            },
            {
              "name": "maxBytesReader.Read"
            },
            {
              "name": "onceCloseListener.Close"
            },
            {
              "name": "persistConn.Read"
            },
            {
              "name": "persistConnWriter.ReadFrom"
            },
            {
              "name": "persistConnWriter.Write"
            },
            {
              "name": "populateResponse.Write"
            },
            {
              "name": "populateResponse.WriteHeader"
            },
            {
              "name": "readTrackingBody.Close"
            },
            {
              "name": "readTrackingBody.Read"
            },
            {
              "name": "readWriteCloserBody.Read"
            },
            {
              "name": "redirectHandler.ServeHTTP"
            },
            {
              "name": "response.Flush"
            },
            {
              "name": "response.FlushError"
            },
            {
              "name": "response.Hijack"
            },
            {
              "name": "response.ReadFrom"
            },
            {
              "name": "response.Write"
            },
            {
              "name": "response.WriteHeader"
            },
            {
              "name": "response.WriteString"
            },
            {
              "name": "serverHandler.ServeHTTP"
            },
            {
              "name": "socksDialer.DialWithConn"
            },
            {
              "name": "socksUsernamePassword.Authenticate"
            },
            {
              "name": "stringWriter.WriteString"
            },
            {
              "name": "timeoutHandler.ServeHTTP"
            },
            {
              "name": "timeoutWriter.Write"
            },
            {
              "name": "timeoutWriter.WriteHeader"
            },
            {
              "name": "transportReadFromServerError.Error"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.21.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.22.2",
              "status": "affected",
              "version": "1.22.0-0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2",
          "product": "golang.org/x/net/http2",
          "programRoutines": [
            {
              "name": "Framer.readMetaFrame"
            },
            {
              "name": "ClientConn.Close"
            },
            {
              "name": "ClientConn.Ping"
            },
            {
              "name": "ClientConn.RoundTrip"
            },
            {
              "name": "ClientConn.Shutdown"
            },
            {
              "name": "ConfigureServer"
            },
            {
              "name": "ConfigureTransport"
            },
            {
              "name": "ConfigureTransports"
            },
            {
              "name": "ConnectionError.Error"
            },
            {
              "name": "ErrCode.String"
            },
            {
              "name": "FrameHeader.String"
            },
            {
              "name": "FrameType.String"
            },
            {
              "name": "FrameWriteRequest.String"
            },
            {
              "name": "Framer.ReadFrame"
            },
            {
              "name": "Framer.WriteContinuation"
            },
            {
              "name": "Framer.WriteData"
            },
            {
              "name": "Framer.WriteDataPadded"
            },
            {
              "name": "Framer.WriteGoAway"
            },
            {
              "name": "Framer.WriteHeaders"
            },
            {
              "name": "Framer.WritePing"
            },
            {
              "name": "Framer.WritePriority"
            },
            {
              "name": "Framer.WritePushPromise"
            },
            {
              "name": "Framer.WriteRSTStream"
            },
            {
              "name": "Framer.WriteRawFrame"
            },
            {
              "name": "Framer.WriteSettings"
            },
            {
              "name": "Framer.WriteSettingsAck"
            },
            {
              "name": "Framer.WriteWindowUpdate"
            },
            {
              "name": "GoAwayError.Error"
            },
            {
              "name": "ReadFrameHeader"
            },
            {
              "name": "Server.ServeConn"
            },
            {
              "name": "Setting.String"
            },
            {
              "name": "SettingID.String"
            },
            {
              "name": "SettingsFrame.ForeachSetting"
            },
            {
              "name": "StreamError.Error"
            },
            {
              "name": "Transport.CloseIdleConnections"
            },
            {
              "name": "Transport.NewClientConn"
            },
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "Transport.RoundTripOpt"
            },
            {
              "name": "bufferedWriter.Flush"
            },
            {
              "name": "bufferedWriter.Write"
            },
            {
              "name": "chunkWriter.Write"
            },
            {
              "name": "clientConnPool.GetClientConn"
            },
            {
              "name": "connError.Error"
            },
            {
              "name": "dataBuffer.Read"
            },
            {
              "name": "duplicatePseudoHeaderError.Error"
            },
            {
              "name": "gzipReader.Close"
            },
            {
              "name": "gzipReader.Read"
            },
            {
              "name": "headerFieldNameError.Error"
            },
            {
              "name": "headerFieldValueError.Error"
            },
            {
              "name": "noDialClientConnPool.GetClientConn"
            },
            {
              "name": "noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "pipe.Read"
            },
            {
              "name": "priorityWriteScheduler.CloseStream"
            },
            {
              "name": "priorityWriteScheduler.OpenStream"
            },
            {
              "name": "pseudoHeaderError.Error"
            },
            {
              "name": "requestBody.Close"
            },
            {
              "name": "requestBody.Read"
            },
            {
              "name": "responseWriter.Flush"
            },
            {
              "name": "responseWriter.FlushError"
            },
            {
              "name": "responseWriter.Push"
            },
            {
              "name": "responseWriter.SetReadDeadline"
            },
            {
              "name": "responseWriter.SetWriteDeadline"
            },
            {
              "name": "responseWriter.Write"
            },
            {
              "name": "responseWriter.WriteHeader"
            },
            {
              "name": "responseWriter.WriteString"
            },
            {
              "name": "roundRobinWriteScheduler.OpenStream"
            },
            {
              "name": "serverConn.CloseConn"
            },
            {
              "name": "serverConn.Flush"
            },
            {
              "name": "stickyErrWriter.Write"
            },
            {
              "name": "transportResponseBody.Close"
            },
            {
              "name": "transportResponseBody.Read"
            },
            {
              "name": "writeData.String"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Bartek Nowotarski (https://nowotarski.info/)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T17:10:07.754Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/65051"
        },
        {
          "url": "https://go.dev/cl/576155"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2024-2687"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
        }
      ],
      "title": "HTTP/2 CONTINUATION flood in net/http"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-45288",
    "datePublished": "2024-04-04T20:37:30.714Z",
    "dateReserved": "2023-10-06T17:06:26.221Z",
    "dateUpdated": "2025-02-13T17:14:01.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1996 (GCVE-0-2022-1996)

Vulnerability from cvelistv5

Published

2022-06-06 00:00

Modified

2024-08-03 00:24

Severity ?

9.3 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Summary

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

References

►

URL

Tags

	https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1
	https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20220923-0005/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/	vendor-advisory

Impacted products

	Vendor	Product	Version
	emicklei	emicklei/go-restful	Version: unspecified < v3.8.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:24:43.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
          },
          {
            "name": "FEDORA-2022-185697ef56",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
          },
          {
            "name": "FEDORA-2022-589a0ad690",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
          },
          {
            "name": "FEDORA-2022-fae3ecee19",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
          },
          {
            "name": "FEDORA-2022-ba365d3703",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
          },
          {
            "name": "FEDORA-2022-30c5ed5625",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
          },
          {
            "name": "FEDORA-2023-6550d9323b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
          },
          {
            "name": "FEDORA-2023-4e2068ba5d",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
          },
          {
            "name": "FEDORA-2023-c9b2182a4e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "emicklei/go-restful",
          "vendor": "emicklei",
          "versions": [
            {
              "lessThan": "v3.8.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-23T00:00:00",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
        },
        {
          "url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
        },
        {
          "name": "FEDORA-2022-185697ef56",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB/"
        },
        {
          "name": "FEDORA-2022-589a0ad690",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3/"
        },
        {
          "name": "FEDORA-2022-fae3ecee19",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"
        },
        {
          "name": "FEDORA-2022-ba365d3703",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/"
        },
        {
          "name": "FEDORA-2022-30c5ed5625",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220923-0005/"
        },
        {
          "name": "FEDORA-2023-6550d9323b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V/"
        },
        {
          "name": "FEDORA-2023-4e2068ba5d",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS/"
        },
        {
          "name": "FEDORA-2023-c9b2182a4e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY/"
        }
      ],
      "source": {
        "advisory": "be837427-415c-4d8c-808b-62ce20aa84f1",
        "discovery": "EXTERNAL"
      },
      "title": "Authorization Bypass Through User-Controlled Key in emicklei/go-restful"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-1996",
    "datePublished": "2022-06-06T00:00:00",
    "dateReserved": "2022-06-06T00:00:00",
    "dateUpdated": "2024-08-03T00:24:43.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-45142 (GCVE-0-2023-45142)

Vulnerability from cvelistv5

Published

2023-10-12 16:33

Modified

2025-02-13 17:13

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

References

►

URL

Tags

	https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr	x_refsource_CONFIRM
	https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277	x_refsource_MISC
	https://github.com/advisories/GHSA-cg3q-j54f-5p7p	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223	x_refsource_MISC
	https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/

Impacted products

	Vendor	Product	Version
	open-telemetry	opentelemetry-go-contrib	Version: < 0.44.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:14:19.751Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
          },
          {
            "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
          },
          {
            "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go-contrib",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.44.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-19T03:06:08.734Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
        },
        {
          "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
        }
      ],
      "source": {
        "advisory": "GHSA-rcjv-mgp8-qvmr",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-45142",
    "datePublished": "2023-10-12T16:33:21.435Z",
    "dateReserved": "2023-10-04T16:02:46.330Z",
    "dateUpdated": "2025-02-13T17:13:49.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2025:20091-1

Vulnerability from csaf_suse

CVE-2023-47108 (GCVE-0-2023-47108)

Vulnerability from cvelistv5

CVE-2023-45288 (GCVE-0-2023-45288)

Vulnerability from cvelistv5

CVE-2022-1996 (GCVE-0-2022-1996)

Vulnerability from cvelistv5

CVE-2023-45142 (GCVE-0-2023-45142)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature