CVE-2024-32028

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Instrumentation.Http versions prior to 1.8.1 OpenTelemetry.Instrumentation.AspNetCore versions prior to 1.8.1

Description The issue concerns the OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore components of the OpenTelemetry dotnet framework. In affected versions, the url.full and url.query attributes/tags are written on spans (Activity) when tracing is enabled for outgoing and incoming HTTP requests, respectively. These attributes, defined by the Semantic Conventions for HTTP Spans, may pass through raw query strings, potentially leading to the leakage of sensitive information, such as End User Identifiable Information (EUII) or credentials, into telemetry backends. This could cause privacy and/or security incidents.

Recommendations To resolve the issue, upgrade to version 1.8.1 or later of OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore, as these versions redact by default all values detected on transmitted or received query strings. For versions prior to 1.8.1, consider temporarily disabling the tracing of HTTP requests or restricting access to sensitive information until an upgrade is possible.