122 matches found
CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
Linux Distros Unpatched Vulnerability : CVE-2026-29181
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value...
UBUNTU-CVE-2026-39883
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This...
UBUNTU-CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39883
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This...
CVE-2026-39883 OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This...
CVE-2026-39883
OpenTelemetry-Go versions 1.15.0–1.42.0 contain an incomplete fix for CVE-2026-24051: when addressing the Darwin ioreg command to use an absolute path, the BSD kenv command was left with a bare command name, enabling a PATH hijacking attack on BSD and Solaris platforms. The issue is resolved in O...
CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
EUVD-2026-20630
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking...
GHSA-HFVC-G4FC-PQHX opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
Summary The fix for GHSA-9h8m-3fm2-qjrq CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/hostid.go line 42: if result, err :=...
GHSA-W8RR-5GCM-PP58 opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
overview: this report shows that the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled or a network attacker can mitm t...
PT-2026-31450
Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go versions 1.15.0 through 1.42.0 Description The fix for a previous issue changed the path used for one command but left another command vulnerable to a PATH hijacking attack on BSD and Solaris platforms. Specifically, the kenv...
OpenTelemetry-Go 安全漏洞
OpenTelemetry-Go is an open-source developer toolkit developed by OpenTelemetry - CNCF. Versions of OpenTelemetry-Go prior to 1.43.0 contained a security vulnerability; this vulnerability stemmed from the lack of restrictions on the size of the response body, which could lead to memory exhaustion...
OpenTelemetry-Go 代码问题漏洞
OpenTelemetry-Go is an open-source developer toolkit developed by OpenTelemetry - CNCF. Versions of OpenTelemetry-Go from 1.15.0 to 1.42.0 have code vulnerabilities that stem from path hijacking, which may lead to command execution...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the baggage header extraction process. An attacker can cause excessive CPU and memory allocations by sending numerous baggage header lines, even if each individual value remains...
DEBIAN-CVE-2026-29181
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines...
UBUNTU-CVE-2026-29181
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines...
CVE-2026-29181 OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines...