CVE-2023-45142
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2023-45142 affects OpenTelemetry-Go Contrib, a collection of third-party packages for OpenTelemetry-Go. A handler wrapper in the library adds labels for `http.user_agent` and `http.method` with unbound cardinality, leading to potential memory exhaustion on servers when dealing with numerous malicious requests. An attacker can easily manipulate User-Agent or HTTP method for requests to be random and long. The vulnerability arises when a program uses `otelhttp.NewHandler` wrapper and does not filter unknown HTTP methods or User-agents on the CDN, LB, or previous middleware levels. The issue was addressed in version 0.44.0, which restricts collected attribute values for `http.request.method` to a set of well-known values, and removes other high cardinality attributes. As a workaround, `otelhttp.WithFilter()` can be used, but it requires careful manual configuration to avoid logging certain requests entirely. The library should by default mark non-standard HTTP methods and User-agents with the label `unknown` to indicate that such requests were made but do not increase cardinality. Alternatively, the library API should allow users to enable the current behavior.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions