GHSA-vh2m-22xx-q94f
- Source
- https://github.com/advisories/GHSA-vh2m-22xx-q94f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vh2m-22xx-q94f/GHSA-vh2m-22xx-q94f.json
- Aliases
- Published
- 2024-04-12T22:54:09Z
- Modified
- 2024-04-15T19:46:42.582465Z
- Details
-
Impact
OpenTelemetry.Instrumentation.Httpwrites theurl.fullattribute/tag on spans (Activity) when tracing is enabled for outgoing http requests andOpenTelemetry.Instrumentation.AspNetCorewrites theurl.queryattribute/tag on spans (Activity) when tracing is enabled for incoming http requests.These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the
1.8.1the values written byOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCorewill pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.Note: Older versions of
OpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCoremay use different tag names but have the same vulnerability.Resolution
The
1.8.1versions ofOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCorewill now redact by default all values detected on transmitted or received query strings.Example transmitted or received query sting:
?key1=value1&key2=value2Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted - References
-
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
- https://nvd.nist.gov/vuln/detail/CVE-2024-32028
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42
- https://github.com/open-telemetry/opentelemetry-dotnet
- https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md