PT-2023-9340 · Unknown+2 · Opentelemetry-Go Contrib+2

Pellared

·

Published

2023-11-10

·

Updated

2025-10-28

·

CVE-2023-47108

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go Contrib versions prior to 0.46.0
Description The issue is related to the grpc Unary Server Interceptor adding labels net.peer.sock.addr and net.peer.sock.port with unbound cardinality, leading to potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests, causing a denial-of-service.
Recommendations For versions prior to 0.46.0, as a temporary workaround, consider using a view that removes the attributes net.peer.sock.addr and net.peer.sock.port. Alternatively, disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. For a permanent solution, upgrade to version 0.46.0 or later, which contains a fix for this issue.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

AZL-31896
AZL-34620
AZL-34891
AZL-34995
AZL-35434
AZL-35440
AZL-42745
BDU:2024-06663
CVE-2023-47108
GHSA-8PGV-569H-W5RW
GO-2023-2331
OPENSUSE-SU-2024:13615-1
OPENSUSE-SU-2024:13834-1
OPENSUSE-SU-2024:13835-1
OPENSUSE-SU-2024:13836-1
OPENSUSE-SU-2024:14032-1
OPENSUSE-SU-2024:14320-1
OPENSUSE-SU-2024:14321-1
OPENSUSE-SU-2024_3221-1
OPENSUSE-SU-2024_3656-1
OPENSUSE-SU-2024_4360-1
OPENSUSE-SU-2025:0003-1
RHSA-2024:0207
RHSA-2024:0288
RHSA-2024:0489
SUSE-SU-2024:3188-1
SUSE-SU-2024:3221-1
SUSE-SU-2024:3656-1
SUSE-SU-2024:4319-1
SUSE-SU-2024:4360-1
SUSE-SU-2025:20091-1
SUSE-SU-2025:20110-1
SUSE-SU-2025:20259-1
SUSE-SU-2025:20385-1

Affected Products

Opentelemetry-Go Contrib
Red Os
Suse