PT-2023-9340 · Unknown+2 · Opentelemetry-Go Contrib+2

Pellared

·

Publicado

2023-11-10

·

Atualizado

2025-10-28

·

CVE-2023-47108

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go Contrib versions prior to 0.46.0
Description The issue is related to the grpc Unary Server Interceptor adding labels net.peer.sock.addr and net.peer.sock.port with unbound cardinality, leading to potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests, causing a denial-of-service.
Recommendations For versions prior to 0.46.0, as a temporary workaround, consider using a view that removes the attributes net.peer.sock.addr and net.peer.sock.port. Alternatively, disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. For a permanent solution, upgrade to version 0.46.0 or later, which contains a fix for this issue.

Exploit

Correção

DoS

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770

Identificadores relacionados

AZL-31896
AZL-34620
AZL-34891
AZL-34995
AZL-35434
AZL-35440
AZL-42745
BDU:2024-06663
CVE-2023-47108
GHSA-8PGV-569H-W5RW
GO-2023-2331
OPENSUSE-SU-2024:13615-1
OPENSUSE-SU-2024:13834-1
OPENSUSE-SU-2024:13835-1
OPENSUSE-SU-2024:13836-1
OPENSUSE-SU-2024:14032-1
OPENSUSE-SU-2024:14320-1
OPENSUSE-SU-2024:14321-1
OPENSUSE-SU-2024_3221-1
OPENSUSE-SU-2024_3656-1
OPENSUSE-SU-2024_4360-1
OPENSUSE-SU-2025:0003-1
RHSA-2024:0207
RHSA-2024:0288
RHSA-2024:0489
SUSE-SU-2024:3188-1
SUSE-SU-2024:3221-1
SUSE-SU-2024:3656-1
SUSE-SU-2024:4319-1
SUSE-SU-2024:4360-1
SUSE-SU-2025:20091-1
SUSE-SU-2025:20110-1
SUSE-SU-2025:20259-1
SUSE-SU-2025:20385-1

Produtos afetados

Opentelemetry-Go Contrib
Red Os
Suse