You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.http/1.5.1-beta.1/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.http/1.5.1-beta.1/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore the url.full writes attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability. The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerable Library - opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Http instrumentation for OpenTelemetry .NET
Library home page: https://api.nuget.org/packages/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.http/1.5.1-beta.1/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Found in HEAD commit: ac07b100d175ac51ec339403398a005c55c391a0
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-32028
Vulnerable Library - opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Http instrumentation for OpenTelemetry .NET
Library home page: https://api.nuget.org/packages/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.http/1.5.1-beta.1/opentelemetry.instrumentation.http.1.5.1-beta.1.nupkg
Dependency Hierarchy:
Found in HEAD commit: ac07b100d175ac51ec339403398a005c55c391a0
Found in base branch: main
Vulnerability Details
OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of
OpenTelemetry.Instrumentation.Http
andOpenTelemetry.Instrumentation.AspNetCore
theurl.full
writes attribute/tag on spans (Activity
) when tracing is enabled for outgoing http requests andOpenTelemetry.Instrumentation.AspNetCore
writes theurl.query
attribute/tag on spans (Activity
) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version1.8.1
the values written byOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions ofOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
may use different tag names but have the same vulnerability. The1.8.1
versions ofOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.Publish Date: 2024-04-12
URL: CVE-2024-32028
CVSS 3 Score Details (4.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh2m-22xx-q94f
Release Date: 2024-04-12
Fix Resolution: OpenTelemetry.Instrumentation.Http - 1.8.1, OpenTelemetry.Instrumentation.AspNetCore - 1.8.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: