GO-2023-1546

Source
https://pkg.go.dev/vuln/GO-2023-1546
Import Source
https://vuln.go.dev/ID/GO-2023-1546.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1546
Aliases
Related
Published
2023-04-05T18:02:21Z
Modified
2024-10-15T05:56:54.657204Z
Summary
Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
Details

The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack.

The otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration instruments. The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string). The metric instruments do not "forget" previous measurement attributes when "cumulative" temporality is used, meaning that the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

References

Affected packages

Go / go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

Package

Name
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

Affected ranges

Type
SEMVER
Events
Introduced
0.38.0
Fixed
0.39.0

Ecosystem specific

{
    "imports": [
        {
            "path": "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",
            "symbols": [
                "Handler.ServeHTTP"
            ]
        }
    ]
}