OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-11-10T18:31:33.730Z
Updated: 2023-11-10T18:31:33.730Z
Reserved: 2023-10-30T19:57:51.673Z
Link: CVE-2023-47108
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-11-10T19:15:16.410
Modified: 2023-11-20T19:34:26.493
Link: CVE-2023-47108
JSON object: View
Redhat Information
No data.
CWE