GHSA-vh2m-22xx-q94f

Source

https://github.com/advisories/GHSA-vh2m-22xx-q94f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vh2m-22xx-q94f/GHSA-vh2m-22xx-q94f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vh2m-22xx-q94f

Aliases

CVE-2024-32028

Published

2024-04-12T22:54:09Z

Modified

2024-04-15T19:46:42.582465Z

Severity

4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

Details

Impact

OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.

These attributes are defined by the Semantic Conventions for HTTP Spans.

Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.

Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.

Resolution

The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.

Example transmitted or received query sting:

?key1=value1&key2=value2

Example of redacted value written on telemetry:

?key1=Redacted&key2=Redacted

Database specific

{
    "nvd_published_at": "2024-04-12T23:15:06Z",
    "cwe_ids": [
        "CWE-201",
        "CWE-212"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T22:54:09Z"
}

References

Affected packages

NuGet / OpenTelemetry.Instrumentation.Http

Package

Name: OpenTelemetry.Instrumentation.Http; View open source insights on deps.dev
Purl: pkg:nuget/OpenTelemetry.Instrumentation.Http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1

Affected versions

1.*

1.0.0-rc10

1.0.0-rc2

1.0.0-rc3

1.0.0-rc4

1.0.0-rc5

1.0.0-rc6

1.0.0-rc7

1.0.0-rc8

1.0.0-rc9

1.6.0

1.7.0

1.7.1

1.8.0

NuGet / OpenTelemetry.Instrumentation.AspNetCore