CVE-2024-32028

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-32028
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32028.json
Aliases
Published
2024-04-12T23:15:06Z
Modified
2024-05-14T13:11:06.724825Z
Summary
[none]
Details

OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore the url.full writes attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability. The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/open-telemetry/opentelemetry-dotnet

Affected ranges

Type
GIT
Repo
https://github.com/open-telemetry/opentelemetry-dotnet
Events
Introduced
0The exact introduced commit is unknown
Fixed
e222ecb5942d4ce1cadfd4306c39e3f4933a5c42

Affected versions

0.*

0.2.0-alpha
0.3.0-beta
0.4.0-beta
0.5.0-beta
0.6.0-beta
0.7.0-beta
0.8.0-beta

1.*

1.0.0-rc1
1.0.0-rc10
1.0.0-rc2
1.0.0-rc3
1.0.0-rc4
1.0.0-rc5
1.0.0-rc6
1.0.0-rc7
1.0.0-rc8
1.0.0-rc9
1.0.0-rc9.1
1.0.0-rc9.10
1.0.0-rc9.11
1.0.0-rc9.12
1.0.0-rc9.13
1.0.0-rc9.14
1.0.0-rc9.2
1.0.0-rc9.3
1.0.0-rc9.4
1.0.0-rc9.5
1.0.0-rc9.6
1.0.0-rc9.7
1.0.0-rc9.8
1.0.0-rc9.9
1.5.0-beta.1
1.5.1-beta.1
1.6.0-beta.1
1.6.0-beta.2
1.6.0-beta.3
1.6.0-rc.1
1.7.0-beta.1

Instrumentation.*

Instrumentation.AspNetCore-1.6.0
Instrumentation.AspNetCore-1.7.0
Instrumentation.AspNetCore-1.7.1
Instrumentation.AspNetCore-1.8.0
Instrumentation.GrpcNetClient-1.7.0-beta.1
Instrumentation.GrpcNetClient-1.8.0-beta.1
Instrumentation.Http-1.6.0
Instrumentation.Http-1.7.0
Instrumentation.Http-1.7.1
Instrumentation.Http-1.8.0
Instrumentation.SqlClient-1.7.0-beta.1
Instrumentation.SqlClient-1.8.0-beta.1

core-1.*

core-1.0.0-rc3
core-1.0.0-rc4
core-1.0.1
core-1.1.0
core-1.1.0-beta1
core-1.1.0-beta2
core-1.1.0-beta3
core-1.1.0-beta4
core-1.1.0-rc1
core-1.2.0
core-1.2.0-alpha1
core-1.2.0-alpha2
core-1.2.0-alpha3
core-1.2.0-alpha4
core-1.2.0-beta1
core-1.2.0-beta2
core-1.2.0-rc1
core-1.2.0-rc2
core-1.2.0-rc3
core-1.2.0-rc4
core-1.2.0-rc5
core-1.3.0
core-1.3.0-beta.1
core-1.3.0-beta.2
core-1.3.0-rc.2
core-1.4.0
core-1.4.0-alpha.1
core-1.4.0-alpha.2
core-1.4.0-beta.1
core-1.4.0-beta.2
core-1.4.0-beta.3
core-1.4.0-rc.1
core-1.4.0-rc.2
core-1.4.0-rc.3
core-1.4.0-rc.4
core-1.5.0
core-1.5.0-alpha.1
core-1.5.0-rc.1
core-1.6.0
core-1.6.0-alpha.1
core-1.6.0-rc.1
core-1.7.0
core-1.7.0-alpha.1
core-1.7.0-rc.1
core-1.8.0
core-1.8.0-beta.1
core-1.8.0-rc.1