Caitlinhalla

**Name of the Vulnerable Software and Affected Versions** azureauthextension versions 0.124.0 through 0.150.0 **Description** A server-side authentication bypass exists in the `azureauthextension` when used by an OpenTelemetry receiver with `auth: azure auth`. The `Authenticate()` function fails to validate incoming bearer tokens as JSON Web Tokens (JWTs), which are compact, URL-safe means of representing claims to be transferred between two parties. Instead, the extension performs a simple string equality comparison between the client's token and a token obtained by the server. Furthermore, the scope for the server-side token request is derived from the client-supplied `Host` header. This allows an attacker who possesses a valid Azure access token for any scope the collector's identity can mint (such as ARM, Graph, Key Vault, or Storage) to authenticate to the collector by providing a matching `Host` header. Tokens are replayable for their entire issued lifetime. **Recommendations** For versions 0.124.0 through 0.150.0, remove `azure auth` from any receiver `auth:` blocks. As a temporary mitigation, restrict the use of the `azureauthextension` on receivers until a patch is available.