GO-2023-2331

Source
https://pkg.go.dev/vuln/GO-2023-2331
Import Source
https://vuln.go.dev/ID/GO-2023-2331.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-2331
Aliases
Published
2024-06-27T18:00:06Z
Modified
2024-10-15T05:57:10.184281Z
Summary
Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
Details

The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a denial-of-service.

References

Affected packages

Go / go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

Package

Name
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
View open source insights on deps.dev
Purl
pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.46.0

Ecosystem specific

{
    "imports": [
        {
            "path": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
            "symbols": [
                "StreamClientInterceptor",
                "StreamServerInterceptor",
                "UnaryClientInterceptor",
                "UnaryServerInterceptor",
                "spanInfo"
            ]
        }
    ]
}