Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12aDJtLTIyeHgtcTk0Zs4AA6-B
Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore
Impact
OpenTelemetry.Instrumentation.Http
writes the url.full
attribute/tag on spans (Activity
) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore
writes the url.query
attribute/tag on spans (Activity
) when tracing is enabled for incoming http requests.
These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the 1.8.1
the values written by OpenTelemetry.Instrumentation.Http
& OpenTelemetry.Instrumentation.AspNetCore
will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.
Note: Older versions of OpenTelemetry.Instrumentation.Http
& OpenTelemetry.Instrumentation.AspNetCore
may use different tag names but have the same vulnerability.
Resolution
The 1.8.1
versions of OpenTelemetry.Instrumentation.Http
& OpenTelemetry.Instrumentation.AspNetCore
will now redact by default all values detected on transmitted or received query strings.
Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDJtLTIyeHgtcTk0Zs4AA6-B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 21 days ago
Updated: 16 days ago
CVSS Score: 4.1
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Identifiers: GHSA-vh2m-22xx-q94f, CVE-2024-32028
References:
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42
- https://nvd.nist.gov/vuln/detail/CVE-2024-32028
- https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md
- https://github.com/advisories/GHSA-vh2m-22xx-q94f
Blast Radius: 1.0
Affected Packages
nuget:OpenTelemetry.Instrumentation.AspNetCore
Dependent packages: 0Dependent repositories: 0
Downloads: 48,682,061 total
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0
All unaffected versions: 1.8.1
nuget:OpenTelemetry.Instrumentation.Http
Dependent packages: 0Dependent repositories: 0
Downloads: 49,216,449 total
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0
All unaffected versions: 1.8.1