Douglasheriot

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry Collector versions prior to v0.108.0 **Description** The OpenTelemetry Collector module `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. This module can be used to receive CloudWatch metrics via an AWS Firehose Stream, and it sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. However, when this key is configured, the module still accepts incoming requests with no key. There is a risk of unauthorized users writing metrics, and carefully crafted metrics could hide other malicious activity. It's likely that these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. **Recommendations** For OpenTelemetry Collector versions prior to v0.108.0, upgrade to version v0.108.0 or later to fix the vulnerability. As a temporary workaround, consider disabling the `awsfirehosereceiver` module until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the `X-Amz-Firehose-Access-Key` header in the affected API endpoint until the issue is resolved.