Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-CB9075130902B66E52BFCF8C22F4E859

HistoryJun 05, 2024 - 12:00 a.m.

Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC

2024-06-0500:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

denial of service

unsafe decompression

vulnerability

software

http

grpc

memory consumption

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.

Affected configurations

Vulners

Node

goconfiggrpcRange<0.102.1

CPENameOperatorVersion
go/go.opentelemetry.io/collector/config/configgrpclt0.102.1

CPE	Name	Operator	Version
	go/go.opentelemetry.io/collector/config/configgrpc	lt	0.102.1

References

github.com/advisories/GHSA-c74f-6mfw-mm4v

github.com/open-telemetry/opentelemetry-collector

github.com/open-telemetry/opentelemetry-collector/pull/10289

github.com/open-telemetry/opentelemetry-collector/pull/10323

github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v

nvd.nist.gov/vuln/detail/CVE-2024-36129

opentelemetry.io/blog/2024/cve-2024-36129

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

Related for GITLAB-CB9075130902B66E52BFCF8C22F4E859