CVE-2024-32028

CVSS 3.1 Score 4.1 of 10 (medium)

Details

Published Apr 12, 2024
Updated: Apr 15, 2024
CWE ID 201
CWE ID 212

Summary

CVE-2024-32028 is a vulnerability affecting the OpenTelemetry dotnet telemetry framework. Specifically, the OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore versions are affected. The issue arises when tracing is enabled for outgoing or incoming HTTP requests, as the framework writes certain attributes/tags on spans. In previous versions up until 1.8.1, these attributes would pass-through the raw query string of the request or response, potentially exposing sensitive information such as end user identifiable information and credentials to telemetry backends. This poses a risk to privacy and security incidents within organizations using the affected versions of OpenTelemetry. The vulnerability has a base severity of MEDIUM with a base score of 4.1 according to CVSS:3.1, indicating a moderate level of danger. Remediation for this vulnerability involves updating to a version that addresses this issue to prevent potential leaks of sensitive information.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-32028 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options