Ilyagrebnov

**Name of the Vulnerable Software and Affected Versions** OpenTelemetry.Instrumentation.Http versions prior to 1.8.1 OpenTelemetry.Instrumentation.AspNetCore versions prior to 1.8.1 **Description** The issue concerns the `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` components of the OpenTelemetry dotnet framework. In affected versions, the `url.full` and `url.query` attributes/tags are written on spans (`Activity`) when tracing is enabled for outgoing and incoming HTTP requests, respectively. These attributes, defined by the Semantic Conventions for HTTP Spans, may pass through raw query strings, potentially leading to the leakage of sensitive information, such as End User Identifiable Information (EUII) or credentials, into telemetry backends. This could cause privacy and/or security incidents. **Recommendations** To resolve the issue, upgrade to version 1.8.1 or later of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore`, as these versions redact by default all values detected on transmitted or received query strings. For versions prior to 1.8.1, consider temporarily disabling the tracing of HTTP requests or restricting access to sensitive information until an upgrade is possible.