Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12aDJtLTIyeHgtcTk0Zs4AA6-B

Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

Impact

OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.

These attributes are defined by the Semantic Conventions for HTTP Spans.

Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.

Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.

Resolution

The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.

Example transmitted or received query sting:

?key1=value1&key2=value2

Example of redacted value written on telemetry:

?key1=Redacted&key2=Redacted

Permalink: https://github.com/advisories/GHSA-vh2m-22xx-q94f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDJtLTIyeHgtcTk0Zs4AA6-B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago


CVSS Score: 4.1
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Identifiers: GHSA-vh2m-22xx-q94f, CVE-2024-32028
References: Repository: https://github.com/open-telemetry/opentelemetry-dotnet
Blast Radius: 1.0

Affected Packages

nuget:OpenTelemetry.Instrumentation.AspNetCore
Dependent packages: 55
Dependent repositories: 0
Downloads: 53,929,797 total
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0
All unaffected versions: 1.8.1
nuget:OpenTelemetry.Instrumentation.Http
Dependent packages: 46
Dependent repositories: 0
Downloads: 54,351,070 total
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0
All unaffected versions: 1.8.1