Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2024-36129
HistoryJun 05, 2024 - 6:15 p.m.

CVE-2024-36129

2024-06-0518:15:10
CWE-119
GitHub_M
web.nvd.nist.gov
38
opentelemetry collector
vendor-agnostic
telemetry data
vulnerability
memory consumption
unauthenticated
crash
version 0.102.1
confighttp
configgrpc
nvd

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

26.3%

JSON

The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.

Affected configurations

Nvd
Vulners
Vulnrichment
Node
opentelemetryconfiggrpcRange<0.102.1go
OR
opentelemetryconfighttpRange<0.102.0go
OR
opentelemetryopentelemetry_collectorRange<0.102.1
VendorProductVersionCPE
opentelemetryconfiggrpc*cpe:2.3:a:opentelemetry:configgrpc:*:*:*:*:*:go:*:*
opentelemetryconfighttp*cpe:2.3:a:opentelemetry:confighttp:*:*:*:*:*:go:*:*
opentelemetryopentelemetry_collector*cpe:2.3:a:opentelemetry:opentelemetry_collector:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "open-telemetry",
    "product": "opentelemetry-collector",
    "versions": [
      {
        "version": "< 0.102.1",
        "status": "affected"
      }
    ]
  }
]

Related

gitlab 2
osv 12
github 2
vulnrichment 1
nessus 3
ibm 1
nvd 1
wolfi 1
redhatcve 1
redhat 1
cvelist 1
amazon 1
gitlab
gitlab
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
2024-06-05 00:00:00
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
2024-06-05 00:00:00
osv
osv
CGA-pcg5-4j97-pg45
2024-06-06 12:26:13
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
2024-06-05 16:56:19
CGA-6j3r-jg3v-43qf
2024-06-19 07:35:44
github
github
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
2024-06-05 16:56:19
go-grpc-compression has a zstd decompression bombing vulnerability
2024-06-10 18:36:23
vulnrichment
vulnrichment
CVE-2024-36129 OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
2024-06-05 17:26:13
nessus
nessus
OpenTelemetry Collector < 0.102.1 DoS
2024-06-14 00:00:00
Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2630)
2024-09-09 00:00:00
Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2024-708)
2024-09-09 00:00:00
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container Operations Dashboard is vulnerable to denial of service [CVE-2024-36129]
2024-07-19 09:47:29
nvd
nvd
CVE-2024-36129
2024-06-05 18:15:10
wolfi
wolfi
CVE-2024-36129 vulnerabilities
2024-09-27 09:13:12
redhatcve
redhatcve
CVE-2024-36129
2024-06-11 19:27:57
redhat
redhat
(RHSA-2024:3943) Important: Red Hat OpenShift distributed tracing 3.2.1 operator containers security update
2024-06-17 09:23:00
cvelist
cvelist
CVE-2024-36129 OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
2024-06-05 17:26:13
amazon
amazon
Important: amazon-cloudwatch-agent
2024-08-28 19:04:00

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

26.3%

JSON
Related for CVE-2024-36129
gitlab2osv12github2vulnrichment1nessus3ibm1nvd1wolfi1redhatcve1redhat1cvelist1amazon1