One Article Review
| Source |  CVE Liste |
|---|---|
| Identifiant | 8308391 |
| Date de publication | 2023-02-08 20:15:24 (vue: 2023-02-08 22:08:20) |
| Titre | CVE-2023-25151 |
| Texte | opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` uses the `httpconv.ServerRequest` function to annotate metric measurements for the `http.server.request_content_length`, `http.server.response_content_length`, and `http.server.duration` instruments. The `ServerRequest` function sets the `http.target` attribute value to be the whole request URI (including the query string)[^1]. The metric instruments do not "forget" previous measurement attributes when `cumulative` temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack. This issue has been addressed in version 0.39.0. Users are advised to upgrade. There are no known workarounds for this issue. |
| Notes | |
| Envoyé | Oui |
| Condensat | 2023 25151 `cumulative` `go `http `httpconv `serverrequest` addressed advised allocated allocation annotate are attack attribute attributes been can cardinality collection constant constantly content contrib correlated cve denial directly duration` extensions forget function handled has including increase instruments io/contrib/instrumentation/net/http/otelhttp` issue known length` means measurement measurements memory metric not opentelemetry previous query random release request response result server serverrequest` service sets string target` temporality unique upgrade uri uris used users uses value version when whole will workarounds |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.