Skip to main content

Uncontrolled Resource Consumption

CVE-2023-25151

Severity High
Score 7.5/10

Summary

The opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The 0.38.0 before 0.39.0 releases of "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" uses the "httpconv.ServerRequest" function to annotate metric measurements for the "http.server.request_content_length", "http.server.response_content_length", and "http.server.duration" instruments. The "ServerRequest" function sets the "http.target" attribute value to be the whole request URI (including the query string). The metric instruments do not "forget" previous measurement attributes when "cumulative" temporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack. Users are advised to upgrade. NOTE: The affected versions of this package are not available in a package manager we support.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-400 - Uncontrolled resource consumption

An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.

Advisory Timeline

  • Published