CVE-2023-25151
Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
描述
The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack. The otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments. The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string). The metric instruments do not "forget" previous measurement attributes when "cumulative" temporality is used, meaning that the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.
如何修補 CVE-2023-25151
要修補 CVE-2023-25151,請將受影響套件升級到下列已修補版本。
- —升級至 0.39.0 或更新版本
- —升級至 0.39.0 或更新版本
- —升級至 0.39.0 或更新版本
CVE-2023-25151 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- >= 0.38.0, < 0.39.0
- >= 0.38.0, < 0.39.0
- >= 0.38.0, < 0.39.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |