CVE-2023-43810
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-43810
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43810.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-43810
- Aliases
- Published
- 2023-10-06T13:53:17Z
- Modified
- 2025-10-15T02:31:43.049136Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
- Details
-
OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, logs. Autoinstrumentation out of the box adds the label
http_methodthat has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. HTTP method for requests can be easily set by an attacker to be random and long. In order to be affected program has to be instrumented for HTTP handlers and does not filter any unknown HTTP methods on the level of CDN, LB, previous middleware, etc. This issue has been patched in version 0.41b0. - References
Affected packages
Git / github.com/open-telemetry/opentelemetry-python-contrib
Affected ranges
- Type
- GIT
- Repo
- https://github.com/open-telemetry/opentelemetry-python-contrib
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.25b1
opentelemetry-propagator-aws-xray==1.*
opentelemetry-propagator-aws-xray==1.0.0
opentelemetry-propagator-aws-xray==1.0.1
opentelemetry-sdk-extension-aws==2.*
opentelemetry-sdk-extension-aws==2.0.0
opentelemetry-sdk-extension-aws==2.0.1
v0.*
v0.16b0
v0.17b0
v0.19b0
v0.21b0
v0.22b0
v0.23b0
v0.24b0
v0.25b0
v0.25b2
v0.26b1
v0.27b0
v0.28b0
v0.28b1
v0.29b0
v0.30b0
v0.30b1
v0.31b0
v0.32b0
v0.33b0
v0.34b0
v0.35b0
v0.36b0