GHSA-VH2M-22XX-Q94F

Vulnerability from github – Published: 2024-04-12 22:54 – Updated: 2024-04-15 19:41
VLAI?
Summary
Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore
Details

Impact

OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.

These attributes are defined by the Semantic Conventions for HTTP Spans.

Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.

Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.

Resolution

The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.

Example transmitted or received query sting:

?key1=value1&key2=value2

Example of redacted value written on telemetry:

?key1=Redacted&key2=Redacted

Severity ?
4.1 (Medium)
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Instrumentation.Http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OpenTelemetry.Instrumentation.AspNetCore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T22:54:09Z",
    "nvd_published_at": "2024-04-12T23:15:06Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\n`OpenTelemetry.Instrumentation.Http` writes the `url.full` attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests.\n\nThese attributes are defined by the [Semantic Conventions for HTTP Spans](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md).\n\nUp until the `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` \u0026 `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.\n\nNote: Older versions of `OpenTelemetry.Instrumentation.Http` \u0026 `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability.\n\n## Resolution\n\nThe `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` \u0026 `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings.\n\nExample transmitted or received query sting:\n\n`?key1=value1\u0026key2=value2`\n\nExample of redacted value written on telemetry:\n\n`?key1=Redacted\u0026key2=Redacted`",
  "id": "GHSA-vh2m-22xx-q94f",
  "modified": "2024-04-15T19:41:05Z",
  "published": "2024-04-12T22:54:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32028"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-dotnet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.