logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-32028 opentelemetry.instrumentation.http

Package

Manager: nuget
Name: opentelemetry.instrumentation.http
Vulnerable Version: >=0 <1.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00042 pctl0.1178

Details

Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore ## Impact `OpenTelemetry.Instrumentation.Http` writes the `url.full` attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the [Semantic Conventions for HTTP Spans](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md). Up until the `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. ## Resolution The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Example transmitted or received query sting: `?key1=value1&key2=value2` Example of redacted value written on telemetry: `?key1=Redacted&key2=Redacted`

Metadata

Created: 2024-04-12T22:54:09Z
Modified: 2024-04-15T19:41:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vh2m-22xx-q94f/GHSA-vh2m-22xx-q94f.json
CWE IDs: ["CWE-201", "CWE-212"]
Alternative ID: GHSA-vh2m-22xx-q94f
Finding: F017
Auto approve: 1