Overview
About vulnerability
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.Details
- Affected product:
- Grafana , Loki , MinIO , github.com/grafana/e2e , github.com/grafana/grafana-app-sdk , github.com/grafana/grafana/apps/playlist , github.com/grafana/tempo , github.com/heroku/x , github.com/openfga/openfga , github.com/prometheus/prometheus , go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp , go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp , grafana/e2e , grafana/grafana-app-sdk , grafana/grafana/apps/investigation , grafana/grafana/apps/playlist , grafana/tempo , heroku/x , open-telemetry/opentelemetry-go/exporters/otlp/otlpmetric/otlpmetrichttp , open-telemetry/opentelemetry-go/exporters/otlp/otlptrace/otlptracehttp , openfga/openfga , prometheus/prom2json , prometheus/prometheus
- Affected packages:
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp @ 1.28.0 (+59 more)