Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12aDJtLTIyeHgtcTk0Zs4AA6-B
Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore
Impact
OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.
These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.
Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.
Resolution
The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.
Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDJtLTIyeHgtcTk0Zs4AA6-B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 21 days ago
Updated: 16 days ago
CVSS Score: 4.1
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Identifiers: GHSA-vh2m-22xx-q94f, CVE-2024-32028
References:
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42
- https://nvd.nist.gov/vuln/detail/CVE-2024-32028
- https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md
- https://github.com/advisories/GHSA-vh2m-22xx-q94f
Blast Radius: 1.0
Affected Packages
nuget:OpenTelemetry.Instrumentation.AspNetCore
Dependent packages: 0Dependent repositories: 0
Downloads: 48,682,061 total
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0
All unaffected versions: 1.8.1
nuget:OpenTelemetry.Instrumentation.Http
Dependent packages: 0Dependent repositories: 0
Downloads: 49,216,449 total
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 1.6.0, 1.7.0, 1.7.1, 1.8.0
All unaffected versions: 1.8.1