CVE-2023-47108
Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
7.5
HIGH
CVSS 3.1
EPSS 4.3%
Description
The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a denial-of-service.
How to fix CVE-2023-47108
To remediate CVE-2023-47108, upgrade the affected package to a fixed version below.
- —upgrade to 0.46.0 or later
- —upgrade to 0.46.0 or later
Is CVE-2023-47108 being exploited?
Low — EPSS is 4.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 0.37.0, < 0.46.0
- >= 0.37.0, < 0.46.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |