Search
Find a vulnerability
Search criteria
6 vulnerabilities found for opentelemetry-collector-contrib by open-telemetry
CVE-2026-42602 (GCVE-0-2026-42602)
Vulnerability from nvd – Published: 2026-05-13 20:12 – Updated: 2026-05-14 12:52
VLAI
Title
azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
Summary
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.124.0, <= 0.150.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:51:31.756562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:52:53.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.124.0, \u003c= 0.150.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector\u0027s configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension\u0027s Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client\u0027s token to the result with string equality \u2014 and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:12:18.936Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"source": {
"advisory": "GHSA-pjv4-3c63-699f",
"discovery": "UNKNOWN"
},
"title": "azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42602",
"datePublished": "2026-05-13T20:12:18.936Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-14T12:52:53.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45043 (GCVE-0-2024-45043)
Vulnerability from nvd – Published: 2024-08-28 20:06 – Updated: 2024-08-28 20:20
VLAI
Title
OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability
Summary
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the “alpha” `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://docs.aws.amazon.com/firehose/latest/dev/c… | x_refsource_MISC |
| https://docs.aws.amazon.com/firehose/latest/dev/h… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.49.0, < 0.108.0
|
|
| opentelemetry | opentelemetry_collector_contrib |
Affected:
0.49.0 , < 0.108.0
(custom)
cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:0.49.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:0.49.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opentelemetry_collector_contrib",
"vendor": "opentelemetry",
"versions": [
{
"lessThan": "0.108.0",
"status": "affected",
"version": "0.49.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T20:18:43.111720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:20:49.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.49.0, \u003c 0.108.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the \u201calpha\u201d `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the \u201cContrib\u201d distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It\u2019s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:06:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74"
},
{
"name": "https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http"
},
{
"name": "https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector#alpha",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector#alpha"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib"
}
],
"source": {
"advisory": "GHSA-prf6-xjxh-p698",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45043",
"datePublished": "2024-08-28T20:06:34.510Z",
"dateReserved": "2024-08-21T17:53:51.330Z",
"dateUpdated": "2024-08-28T20:20:49.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42368 (GCVE-0-2024-42368)
Vulnerability from nvd – Published: 2024-08-13 19:31 – Updated: 2024-08-14 13:38
VLAI
Title
open-telemetry has an Observable Timing Discrepancy
Summary
OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.80.0, < 0.107.0
|
|
| opentelemetry | opentelemetry_collector_contrib |
Affected:
0.80.0 , < 0.107.0
(custom)
cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opentelemetry_collector_contrib",
"vendor": "opentelemetry",
"versions": [
{
"lessThan": "0.107.0",
"status": "affected",
"version": "0.80.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T13:34:34.981446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T13:38:51.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.80.0, \u003c 0.107.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension\u0027s server authenticator performs a simple, non-constant time string comparison of the received \u0026 configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector\u0027s telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T19:31:16.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a"
}
],
"source": {
"advisory": "GHSA-rfxf-mf63-cpqv",
"discovery": "UNKNOWN"
},
"title": "open-telemetry has an Observable Timing Discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42368",
"datePublished": "2024-08-13T19:31:16.814Z",
"dateReserved": "2024-07-30T14:01:33.923Z",
"dateUpdated": "2024-08-14T13:38:51.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-42602 (GCVE-0-2026-42602)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:12 – Updated: 2026-05-14 12:52
VLAI
Title
azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
Summary
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.124.0, <= 0.150.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:51:31.756562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:52:53.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.124.0, \u003c= 0.150.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector\u0027s configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension\u0027s Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client\u0027s token to the result with string equality \u2014 and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:12:18.936Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"source": {
"advisory": "GHSA-pjv4-3c63-699f",
"discovery": "UNKNOWN"
},
"title": "azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42602",
"datePublished": "2026-05-13T20:12:18.936Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-14T12:52:53.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45043 (GCVE-0-2024-45043)
Vulnerability from cvelistv5 – Published: 2024-08-28 20:06 – Updated: 2024-08-28 20:20
VLAI
Title
OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability
Summary
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the “alpha” `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://docs.aws.amazon.com/firehose/latest/dev/c… | x_refsource_MISC |
| https://docs.aws.amazon.com/firehose/latest/dev/h… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.49.0, < 0.108.0
|
|
| opentelemetry | opentelemetry_collector_contrib |
Affected:
0.49.0 , < 0.108.0
(custom)
cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:0.49.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:0.49.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opentelemetry_collector_contrib",
"vendor": "opentelemetry",
"versions": [
{
"lessThan": "0.108.0",
"status": "affected",
"version": "0.49.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T20:18:43.111720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:20:49.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.49.0, \u003c 0.108.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the \u201calpha\u201d `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the \u201cContrib\u201d distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It\u2019s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:06:34.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74"
},
{
"name": "https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http"
},
{
"name": "https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector#alpha",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector#alpha"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib"
}
],
"source": {
"advisory": "GHSA-prf6-xjxh-p698",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45043",
"datePublished": "2024-08-28T20:06:34.510Z",
"dateReserved": "2024-08-21T17:53:51.330Z",
"dateUpdated": "2024-08-28T20:20:49.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42368 (GCVE-0-2024-42368)
Vulnerability from cvelistv5 – Published: 2024-08-13 19:31 – Updated: 2024-08-14 13:38
VLAI
Title
open-telemetry has an Observable Timing Discrepancy
Summary
OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.80.0, < 0.107.0
|
|
| opentelemetry | opentelemetry_collector_contrib |
Affected:
0.80.0 , < 0.107.0
(custom)
cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opentelemetry_collector_contrib",
"vendor": "opentelemetry",
"versions": [
{
"lessThan": "0.107.0",
"status": "affected",
"version": "0.80.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T13:34:34.981446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T13:38:51.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.80.0, \u003c 0.107.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension\u0027s server authenticator performs a simple, non-constant time string comparison of the received \u0026 configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector\u0027s telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T19:31:16.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a"
}
],
"source": {
"advisory": "GHSA-rfxf-mf63-cpqv",
"discovery": "UNKNOWN"
},
"title": "open-telemetry has an Observable Timing Discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42368",
"datePublished": "2024-08-13T19:31:16.814Z",
"dateReserved": "2024-07-30T14:01:33.923Z",
"dateUpdated": "2024-08-14T13:38:51.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}