opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg: 1 vulnerabilities (highest severity is: 4.1) #128
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Http instrumentation for OpenTelemetry .NET
Library home page: https://api.nuget.org/packages/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.http/1.5.1-beta.1/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Found in HEAD commit: ac07b100d175ac51ec339403398a005c55c391a0
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Http instrumentation for OpenTelemetry .NET
Library home page: https://api.nuget.org/packages/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.http/1.5.1-beta.1/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: ac07b100d175ac51ec339403398a005c55c391a0
Found in base branch: main
Vulnerability Details
OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of
OpenTelemetry.Instrumentation.HttpandOpenTelemetry.Instrumentation.AspNetCoretheurl.fullwrites attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests andOpenTelemetry.Instrumentation.AspNetCorewrites theurl.queryattribute/tag on spans (Activity) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version1.8.1the values written byOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCorewill pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions ofOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCoremay use different tag names but have the same vulnerability. The1.8.1versions ofOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCorewill now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.Publish Date: 2024-04-12
URL: CVE-2024-32028
CVSS 3 Score Details (4.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vh2m-22xx-q94f
Release Date: 2024-04-12
Fix Resolution: OpenTelemetry.Instrumentation.Http - 1.8.1, OpenTelemetry.Instrumentation.AspNetCore - 1.8.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: