Search

Find a vulnerability

Search criteria

    26 vulnerabilities found for opentelemetry by opentelemetry

    CVE-2026-44967 (GCVE-0-2026-44967)

    Vulnerability from nvd – Published: 2026-06-12 14:52 – Updated: 2026-06-12 16:10
    VLAI
    Title
    opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response
    Summary
    OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44967",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:10:44.803865Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:10:48.362Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-cpp",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.27.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:52:00.124Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-cpp/issues/3958",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-cpp/issues/3958"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-cpp/pull/4078",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-cpp/pull/4078"
            }
          ],
          "source": {
            "advisory": "GHSA-5qhm-4rfp-qqvj",
            "discovery": "UNKNOWN"
          },
          "title": "opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44967",
        "datePublished": "2026-06-12T14:52:00.124Z",
        "dateReserved": "2026-05-08T16:23:33.263Z",
        "dateUpdated": "2026-06-12T16:10:48.362Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41178 (GCVE-0-2026-41178)

    Vulnerability from nvd – Published: 2026-06-04 14:38 – Updated: 2026-06-04 15:46
    VLAI
    Title
    OpenTelemetry-Go's baggage parsing no longer caps raw header length
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41178",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T15:46:06.715583Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T15:46:11.923Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go.opentelemetry.io/otel/baggage",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.41.0"
                },
                {
                  "status": "affected",
                  "version": "= 1.43.0"
                }
              ]
            },
            {
              "product": "go.opentelemetry.io/otel/propagation",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.41.0"
                },
                {
                  "status": "affected",
                  "version": "= 1.43.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T14:38:23.707Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/pull/7880",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/pull/7880"
            }
          ],
          "source": {
            "advisory": "GHSA-5wrp-cwcj-q835",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go\u0027s baggage parsing no longer caps raw header length"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41178",
        "datePublished": "2026-06-04T14:38:23.707Z",
        "dateReserved": "2026-04-17T16:34:45.526Z",
        "dateUpdated": "2026-06-04T15:46:11.923Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41078 (GCVE-0-2026-41078)

    Vulnerability from nvd – Published: 2026-04-23 18:05 – Updated: 2026-04-23 18:52
    VLAI
    Title
    OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T18:52:04.471326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T18:52:26.466Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.6.0-rc.1"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Exporter.Jaeger",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.6.0-rc.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T18:05:41.367Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47"
            }
          ],
          "source": {
            "advisory": "GHSA-38h3-2333-qx47",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41078",
        "datePublished": "2026-04-23T18:05:41.367Z",
        "dateReserved": "2026-04-16T16:43:03.176Z",
        "dateUpdated": "2026-04-23T18:52:26.466Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40894 (GCVE-0-2026-40894)

    Vulnerability from nvd – Published: 2026-04-23 18:03 – Updated: 2026-04-23 19:22
    VLAI
    Title
    OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40894",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T19:22:40.530419Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T19:22:47.268Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Api",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Extensions.Propagators",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.3.1, \u003c 1.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T18:03:28.211Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061"
            }
          ],
          "source": {
            "advisory": "GHSA-g94r-2vxg-569j",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40894",
        "datePublished": "2026-04-23T18:03:28.211Z",
        "dateReserved": "2026-04-15T16:37:22.766Z",
        "dateUpdated": "2026-04-23T19:22:47.268Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40891 (GCVE-0-2026-40891)

    Vulnerability from nvd – Published: 2026-04-23 17:54 – Updated: 2026-04-23 18:23
    VLAI
    Title
    OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40891",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T18:22:43.489569Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T18:23:08.858Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.1, \u003c 1.15.3"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Exporter.OpenTelemetryProtocol",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.1, \u003c 1.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T17:54:36.033Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064"
            }
          ],
          "source": {
            "advisory": "GHSA-mr8r-92fq-pj8p",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40891",
        "datePublished": "2026-04-23T17:54:36.033Z",
        "dateReserved": "2026-04-15T16:37:22.766Z",
        "dateUpdated": "2026-04-23T18:23:08.858Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40182 (GCVE-0-2026-40182)

    Vulnerability from nvd – Published: 2026-04-23 17:51 – Updated: 2026-04-23 18:38
    VLAI
    Title
    OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-dotnet Affected: >= 1.13.1, < 1.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T18:38:48.491134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T18:38:57.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.1, \u003c 1.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T17:51:34.961Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-proto/pull/781",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-proto/pull/781"
            }
          ],
          "source": {
            "advisory": "GHSA-q834-8qmm-v933",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40182",
        "datePublished": "2026-04-23T17:51:34.961Z",
        "dateReserved": "2026-04-09T20:59:17.619Z",
        "dateUpdated": "2026-04-23T18:38:57.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39883 (GCVE-0-2026-39883)

    Vulnerability from nvd – Published: 2026-04-08 20:26 – Updated: 2026-07-10 12:06
    VLAI
    Title
    OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-go Affected: >= 1.15.0, < 1.43.0
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4.22     cpe:/a:redhat:openshift_data_foundation:4.22::el9
    Create a notification for this product.
    Red Hat multicluster engine for Kubernetes 2.8     cpe:/a:redhat:multicluster_engine:2.8::el8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39883",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T20:52:34.310842Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T20:52:54.819Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4.22::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4.22",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine:2.8::el8"
                ],
                "defaultStatus": "affected",
                "product": "multicluster engine for Kubernetes 2.8",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-08T20:26:41.731Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system\u0027s PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-426",
                    "description": "Untrusted Search Path",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T12:06:06.868Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-39883"
              },
              {
                "name": "RHBZ#2456718",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456718"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39883.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:37387"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26257"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26254"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26257: multicluster engine for Kubernetes 2.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26254: multicluster engine for Kubernetes 2.8"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-08T21:01:31.690Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-08T20:26:41.731Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.15.0, \u003c 1.43.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426: Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T20:26:41.731Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
            },
            {
              "name": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
            }
          ],
          "source": {
            "advisory": "GHSA-hfvc-g4fc-pqhx",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39883",
        "datePublished": "2026-04-08T20:26:41.731Z",
        "dateReserved": "2026-04-07T20:32:03.010Z",
        "dateUpdated": "2026-07-10T12:06:06.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39882 (GCVE-0-2026-39882)

    Vulnerability from nvd – Published: 2026-04-08 20:24 – Updated: 2026-04-09 20:22
    VLAI
    Title
    OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39882",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T20:21:49.122499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T20:22:03.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.43.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T20:24:19.246Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/pull/8108",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/pull/8108"
            }
          ],
          "source": {
            "advisory": "GHSA-w8rr-5gcm-pp58",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39882",
        "datePublished": "2026-04-08T20:24:19.246Z",
        "dateReserved": "2026-04-07T20:32:03.010Z",
        "dateUpdated": "2026-04-09T20:22:03.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29181 (GCVE-0-2026-29181)

    Vulnerability from nvd – Published: 2026-04-07 20:29 – Updated: 2026-06-30 12:07
    VLAI
    Title
    OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29181",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T15:36:53.783712Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T15:37:02.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine:2.11::el9"
                ],
                "defaultStatus": "affected",
                "product": "multicluster engine for Kubernetes 2.11",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T20:29:13.933Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in OpenTelemetry-Go, the Go implementation of OpenTelemetry. A remote attacker can exploit this vulnerability by sending multiple \u0027baggage\u0027 header lines. The system\u0027s independent parsing and aggregation of each header field-value across multiple values can lead to amplified CPU and memory allocations, resulting in a Denial of Service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:52.686Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-29181"
              },
              {
                "name": "RHBZ#2456252",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456252"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29181.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25271"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:25271: multicluster engine for Kubernetes 2.11"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T21:01:21.484Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T20:29:13.933Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.41.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T20:29:13.933Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"
            }
          ],
          "source": {
            "advisory": "GHSA-mh2q-q3fh-2475",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29181",
        "datePublished": "2026-04-07T20:29:13.933Z",
        "dateReserved": "2026-03-04T14:44:00.713Z",
        "dateUpdated": "2026-06-30T12:07:52.686Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24051 (GCVE-0-2026-24051)

    Vulnerability from nvd – Published: 2026-02-02 19:49 – Updated: 2026-02-03 14:54
    VLAI
    Title
    OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-go Affected: >= 1.21.0, < 1.40.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24051",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T14:53:50.389773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T14:54:41.668Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.21.0, \u003c 1.40.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426: Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-02T19:49:10.038Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"
            }
          ],
          "source": {
            "advisory": "GHSA-9h8m-3fm2-qjrq",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24051",
        "datePublished": "2026-02-02T19:49:10.038Z",
        "dateReserved": "2026-01-20T22:30:11.778Z",
        "dateUpdated": "2026-02-03T14:54:41.668Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-47108 (GCVE-0-2023-47108)

    Vulnerability from nvd – Published: 2023-11-10 18:31 – Updated: 2025-10-28 18:22
    VLAI
    Title
    DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics
    Summary
    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-go-contrib Affected: >= 0.37.0, < 0.46.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:01:22.674Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
              },
              {
                "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47108",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T17:26:16.403179Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T17:26:56.850Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go-contrib",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.37.0, \u003c 0.46.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-28T18:22:47.393Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
            },
            {
              "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
            }
          ],
          "source": {
            "advisory": "GHSA-8pgv-569h-w5rw",
            "discovery": "UNKNOWN"
          },
          "title": "DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-47108",
        "datePublished": "2023-11-10T18:31:33.730Z",
        "dateReserved": "2023-10-30T19:57:51.673Z",
        "dateUpdated": "2025-10-28T18:22:47.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45142 (GCVE-0-2023-45142)

    Vulnerability from nvd – Published: 2023-10-12 16:33 – Updated: 2025-02-13 17:13
    VLAI
    Title
    OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics
    Summary
    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:19.751Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
              },
              {
                "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go-contrib",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.44.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-19T03:06:08.734Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
            },
            {
              "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
            }
          ],
          "source": {
            "advisory": "GHSA-rcjv-mgp8-qvmr",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-45142",
        "datePublished": "2023-10-12T16:33:21.435Z",
        "dateReserved": "2023-10-04T16:02:46.330Z",
        "dateUpdated": "2025-02-13T17:13:49.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-43810 (GCVE-0-2023-43810)

    Vulnerability from nvd – Published: 2023-10-06 13:53 – Updated: 2024-09-19 18:45
    VLAI
    Title
    opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
    Summary
    OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T19:52:11.410Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-43810",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T18:44:51.665115Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T18:45:01.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-python-contrib",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.41b0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-06T13:53:17.622Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0"
            }
          ],
          "source": {
            "advisory": "GHSA-5rv5-6h4r-h22v",
            "discovery": "UNKNOWN"
          },
          "title": "opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-43810",
        "datePublished": "2023-10-06T13:53:17.622Z",
        "dateReserved": "2023-09-22T14:51:42.341Z",
        "dateUpdated": "2024-09-19T18:45:01.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-44967 (GCVE-0-2026-44967)

    Vulnerability from cvelistv5 – Published: 2026-06-12 14:52 – Updated: 2026-06-12 16:10
    VLAI
    Title
    opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response
    Summary
    OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44967",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-12T16:10:44.803865Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-12T16:10:48.362Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-cpp",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.27.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-12T14:52:00.124Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-cpp/issues/3958",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-cpp/issues/3958"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-cpp/pull/4078",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-cpp/pull/4078"
            }
          ],
          "source": {
            "advisory": "GHSA-5qhm-4rfp-qqvj",
            "discovery": "UNKNOWN"
          },
          "title": "opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44967",
        "datePublished": "2026-06-12T14:52:00.124Z",
        "dateReserved": "2026-05-08T16:23:33.263Z",
        "dateUpdated": "2026-06-12T16:10:48.362Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41178 (GCVE-0-2026-41178)

    Vulnerability from cvelistv5 – Published: 2026-06-04 14:38 – Updated: 2026-06-04 15:46
    VLAI
    Title
    OpenTelemetry-Go's baggage parsing no longer caps raw header length
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41178",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T15:46:06.715583Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T15:46:11.923Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go.opentelemetry.io/otel/baggage",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.41.0"
                },
                {
                  "status": "affected",
                  "version": "= 1.43.0"
                }
              ]
            },
            {
              "product": "go.opentelemetry.io/otel/propagation",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.41.0"
                },
                {
                  "status": "affected",
                  "version": "= 1.43.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T14:38:23.707Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/pull/7880",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/pull/7880"
            }
          ],
          "source": {
            "advisory": "GHSA-5wrp-cwcj-q835",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go\u0027s baggage parsing no longer caps raw header length"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41178",
        "datePublished": "2026-06-04T14:38:23.707Z",
        "dateReserved": "2026-04-17T16:34:45.526Z",
        "dateUpdated": "2026-06-04T15:46:11.923Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41078 (GCVE-0-2026-41078)

    Vulnerability from cvelistv5 – Published: 2026-04-23 18:05 – Updated: 2026-04-23 18:52
    VLAI
    Title
    OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T18:52:04.471326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T18:52:26.466Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.6.0-rc.1"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Exporter.Jaeger",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.6.0-rc.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T18:05:41.367Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47"
            }
          ],
          "source": {
            "advisory": "GHSA-38h3-2333-qx47",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41078",
        "datePublished": "2026-04-23T18:05:41.367Z",
        "dateReserved": "2026-04-16T16:43:03.176Z",
        "dateUpdated": "2026-04-23T18:52:26.466Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40894 (GCVE-0-2026-40894)

    Vulnerability from cvelistv5 – Published: 2026-04-23 18:03 – Updated: 2026-04-23 19:22
    VLAI
    Title
    OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40894",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T19:22:40.530419Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T19:22:47.268Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Api",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Extensions.Propagators",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.3.1, \u003c 1.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T18:03:28.211Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061"
            }
          ],
          "source": {
            "advisory": "GHSA-g94r-2vxg-569j",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40894",
        "datePublished": "2026-04-23T18:03:28.211Z",
        "dateReserved": "2026-04-15T16:37:22.766Z",
        "dateUpdated": "2026-04-23T19:22:47.268Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40891 (GCVE-0-2026-40891)

    Vulnerability from cvelistv5 – Published: 2026-04-23 17:54 – Updated: 2026-04-23 18:23
    VLAI
    Title
    OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40891",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T18:22:43.489569Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T18:23:08.858Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.1, \u003c 1.15.3"
                }
              ]
            },
            {
              "product": "OpenTelemetry.Exporter.OpenTelemetryProtocol",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.1, \u003c 1.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T17:54:36.033Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064"
            }
          ],
          "source": {
            "advisory": "GHSA-mr8r-92fq-pj8p",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40891",
        "datePublished": "2026-04-23T17:54:36.033Z",
        "dateReserved": "2026-04-15T16:37:22.766Z",
        "dateUpdated": "2026-04-23T18:23:08.858Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40182 (GCVE-0-2026-40182)

    Vulnerability from cvelistv5 – Published: 2026-04-23 17:51 – Updated: 2026-04-23 18:38
    VLAI
    Title
    OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies
    Summary
    OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-dotnet Affected: >= 1.13.1, < 1.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T18:38:48.491134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T18:38:57.155Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-dotnet",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.1, \u003c 1.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T17:51:34.961Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-proto/pull/781",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-proto/pull/781"
            }
          ],
          "source": {
            "advisory": "GHSA-q834-8qmm-v933",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40182",
        "datePublished": "2026-04-23T17:51:34.961Z",
        "dateReserved": "2026-04-09T20:59:17.619Z",
        "dateUpdated": "2026-04-23T18:38:57.155Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39883 (GCVE-0-2026-39883)

    Vulnerability from cvelistv5 – Published: 2026-04-08 20:26 – Updated: 2026-07-10 12:06
    VLAI
    Title
    OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-go Affected: >= 1.15.0, < 1.43.0
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4.22     cpe:/a:redhat:openshift_data_foundation:4.22::el9
    Create a notification for this product.
    Red Hat multicluster engine for Kubernetes 2.8     cpe:/a:redhat:multicluster_engine:2.8::el8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39883",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T20:52:34.310842Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T20:52:54.819Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4.22::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Openshift Data Foundation 4.22",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine:2.8::el8"
                ],
                "defaultStatus": "affected",
                "product": "multicluster engine for Kubernetes 2.8",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-08T20:26:41.731Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in OpenTelemetry-Go. On BSD and Solaris platforms, a local attacker could exploit a vulnerability related to the `kenv` command. By manipulating the system\u0027s PATH environment variable, an attacker could achieve arbitrary code execution or privilege escalation, leading to a compromise of system integrity and confidentiality."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-426",
                    "description": "Untrusted Search Path",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T12:06:06.868Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-39883"
              },
              {
                "name": "RHBZ#2456718",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456718"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39883.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:37387"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26257"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26254"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26257: multicluster engine for Kubernetes 2.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26254: multicluster engine for Kubernetes 2.8"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-08T21:01:31.690Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-08T20:26:41.731Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Arbitrary code execution via PATH hijacking on BSD/Solaris",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.15.0, \u003c 1.43.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426: Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T20:26:41.731Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
            },
            {
              "name": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0"
            }
          ],
          "source": {
            "advisory": "GHSA-hfvc-g4fc-pqhx",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39883",
        "datePublished": "2026-04-08T20:26:41.731Z",
        "dateReserved": "2026-04-07T20:32:03.010Z",
        "dateUpdated": "2026-07-10T12:06:06.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-39882 (GCVE-0-2026-39882)

    Vulnerability from cvelistv5 – Published: 2026-04-08 20:24 – Updated: 2026-04-09 20:22
    VLAI
    Title
    OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39882",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T20:21:49.122499Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T20:22:03.109Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.43.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T20:24:19.246Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/pull/8108",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/pull/8108"
            }
          ],
          "source": {
            "advisory": "GHSA-w8rr-5gcm-pp58",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39882",
        "datePublished": "2026-04-08T20:24:19.246Z",
        "dateReserved": "2026-04-07T20:32:03.010Z",
        "dateUpdated": "2026-04-09T20:22:03.109Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29181 (GCVE-0-2026-29181)

    Vulnerability from cvelistv5 – Published: 2026-04-07 20:29 – Updated: 2026-06-30 12:07
    VLAI
    Title
    OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29181",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T15:36:53.783712Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T15:37:02.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine:2.11::el9"
                ],
                "defaultStatus": "affected",
                "product": "multicluster engine for Kubernetes 2.11",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:multicluster_engine"
                ],
                "defaultStatus": "affected",
                "product": "Multicluster Engine for Kubernetes",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-07T20:29:13.933Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in OpenTelemetry-Go, the Go implementation of OpenTelemetry. A remote attacker can exploit this vulnerability by sending multiple \u0027baggage\u0027 header lines. The system\u0027s independent parsing and aggregation of each header field-value across multiple values can lead to amplified CPU and memory allocations, resulting in a Denial of Service (DoS)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:52.686Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-29181"
              },
              {
                "name": "RHBZ#2456252",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456252"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29181.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:25271"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:25271: multicluster engine for Kubernetes 2.11"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-07T21:01:21.484Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-07T20:29:13.933Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.36.0, \u003c 1.41.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T20:29:13.933Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"
            }
          ],
          "source": {
            "advisory": "GHSA-mh2q-q3fh-2475",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29181",
        "datePublished": "2026-04-07T20:29:13.933Z",
        "dateReserved": "2026-03-04T14:44:00.713Z",
        "dateUpdated": "2026-06-30T12:07:52.686Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-24051 (GCVE-0-2026-24051)

    Vulnerability from cvelistv5 – Published: 2026-02-02 19:49 – Updated: 2026-02-03 14:54
    VLAI
    Title
    OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking
    Summary
    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-go Affected: >= 1.21.0, < 1.40.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-24051",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T14:53:50.389773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T14:54:41.668Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.21.0, \u003c 1.40.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426: Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-02T19:49:10.038Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"
            }
          ],
          "source": {
            "advisory": "GHSA-9h8m-3fm2-qjrq",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-24051",
        "datePublished": "2026-02-02T19:49:10.038Z",
        "dateReserved": "2026-01-20T22:30:11.778Z",
        "dateUpdated": "2026-02-03T14:54:41.668Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-47108 (GCVE-0-2023-47108)

    Vulnerability from cvelistv5 – Published: 2023-11-10 18:31 – Updated: 2025-10-28 18:22
    VLAI
    Title
    DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics
    Summary
    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    open-telemetry opentelemetry-go-contrib Affected: >= 0.37.0, < 0.46.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:01:22.674Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
              },
              {
                "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47108",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T17:26:16.403179Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T17:26:56.850Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go-contrib",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.37.0, \u003c 0.46.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-28T18:22:47.393Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138"
            },
            {
              "name": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider"
            }
          ],
          "source": {
            "advisory": "GHSA-8pgv-569h-w5rw",
            "discovery": "UNKNOWN"
          },
          "title": "DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-47108",
        "datePublished": "2023-11-10T18:31:33.730Z",
        "dateReserved": "2023-10-30T19:57:51.673Z",
        "dateUpdated": "2025-10-28T18:22:47.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45142 (GCVE-0-2023-45142)

    Vulnerability from cvelistv5 – Published: 2023-10-12 16:33 – Updated: 2025-02-13 17:13
    VLAI
    Title
    OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics
    Summary
    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:19.751Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
              },
              {
                "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-go-contrib",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.44.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-19T03:06:08.734Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277"
            },
            {
              "name": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-cg3q-j54f-5p7p"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/"
            }
          ],
          "source": {
            "advisory": "GHSA-rcjv-mgp8-qvmr",
            "discovery": "UNKNOWN"
          },
          "title": "OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-45142",
        "datePublished": "2023-10-12T16:33:21.435Z",
        "dateReserved": "2023-10-04T16:02:46.330Z",
        "dateUpdated": "2025-02-13T17:13:49.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-43810 (GCVE-0-2023-43810)

    Vulnerability from cvelistv5 – Published: 2023-10-06 13:53 – Updated: 2024-09-19 18:45
    VLAI
    Title
    opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
    Summary
    OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T19:52:11.410Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e"
              },
              {
                "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-43810",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T18:44:51.665115Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T18:45:01.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "opentelemetry-python-contrib",
              "vendor": "open-telemetry",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.41b0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-06T13:53:17.622Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/security/advisories/GHSA-5rv5-6h4r-h22v"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/commit/6007e0c013071e7f8b9612d3bc68aeb9d600d74e"
            },
            {
              "name": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/open-telemetry/opentelemetry-python-contrib/releases/tag/v0.41b0"
            }
          ],
          "source": {
            "advisory": "GHSA-5rv5-6h4r-h22v",
            "discovery": "UNKNOWN"
          },
          "title": "opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-43810",
        "datePublished": "2023-10-06T13:53:17.622Z",
        "dateReserved": "2023-09-22T14:51:42.341Z",
        "dateUpdated": "2024-09-19T18:45:01.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }