761 matches found
CVE-2026-32282 vulnerabilities
Vulnerabilities for packages: flux, istio, kots, runc, kaf, libnvidia-container, karpenter, net-kourier, newrelic-fluent-bit-output, kubernetes, nerdctl, argo-cd, kubescape, aactl, dask-gateway, external-dns, cilium-cli, k3s, prometheus-operator, azurefile-csi, kubernetes-dashboard, coredns,...
GHSA-X4JJ-H2V8-HQQV vulnerabilities
Vulnerabilities for packages: docker-cli-buildx, eksctl, filebrowser, net-kourier, newrelic-fluent-bit-output, rabbitmq-messaging-topology-operator, argo-cd, kubescape, aactl, crossplane, kbld, flux-operator, azurefile-csi, opentofu, tofu-controller, knative-serving, aws-flb-kinesis,...
GHSA-7MR4-XJXG-34G6 vulnerabilities
Vulnerabilities for packages: authservice, docker-cli-buildx, yunikorn-k8shim, terraform-docs, eksctl, db-operator, emissary, filebrowser, net-kourier, newrelic-fluent-bit-output, delve, terraform-provider-azapi, cloudnative-pg, apisix-ingress-controller, trillian, cis-operator, kafka-proxy,...
CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
Linux Distros Unpatched Vulnerability : CVE-2026-29181
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value...
CVE-2026-39883
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This...
UBUNTU-CVE-2026-39883
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This...
UBUNTU-CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39883 OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This...
CVE-2026-39883
OpenTelemetry-Go versions 1.15.0–1.42.0 contain an incomplete fix for CVE-2026-24051: when addressing the Darwin ioreg command to use an absolute path, the BSD kenv command was left with a bare command name, enabling a PATH hijacking attack on BSD and Solaris platforms. The issue is resolved in O...
CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...
CVE-2026-39882
OpenTelemetry-Go OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response body into memory without a cap, enabling memory exhaustion if the collector endpoint is attacker-controlled. Affected: otlp HTTP exporters prior to v1.43.0. Impact: high availability risk due to memory usage. F...
EUVD-2026-20630
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking...
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
Summary The fix for GHSA-9h8m-3fm2-qjrq CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/hostid.go line 42: if result, err :=...
GHSA-HFVC-G4FC-PQHX opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
Summary The fix for GHSA-9h8m-3fm2-qjrq CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. Root Cause sdk/resource/hostid.go line 42: if result, err :=...
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
overview: this report shows that the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled or a network attacker can mitm t...
EUVD-2026-20628
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies...
GHSA-W8RR-5GCM-PP58 opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
overview: this report shows that the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled or a network attacker can mitm t...