CVE-2025-0495

CVE-2025-0495 affects docker-buildx/moby-buildx (Buildx) where credentials set as attribute values in cache-to/cache-from can be captured by OpenTelemetry traces and BuildKit history. Exploitation status is not detailed in the provided sources. The vulnerability does not apply to secrets passed v...

CVE-2025-0495 Secrets leakage to telemetry endpoint via cache backend configuration via buildx

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry...

PT-2025-11542 · Docker +4 · Buildx +4

Name of the Vulnerable Software and Affected Versions: Buildx versions affected versions not specified Description: The issue concerns the Buildx Docker CLI plugin, which extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values ...

buildx 安全漏洞

buildx is a Docker CLI plugin open-sourced by Docker to extend build functionality through BuildKit. A security vulnerability exists in buildx that stems from the possibility that security values may be inadvertently captured in an OpenTelemetry trace when caching backend support credentials...

Important: Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.5.0 release

Red Hat build of OpenTelemetry 3.5.0 has been released Release of Red Hat OpenShift distributed tracing provides following security improvements, bug fixes, and new features. Breaking changes: Nothing Deprecations: In the Red Hat build of OpenTelemetry 3.5, the Loki Exporter, which is a temporary...

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Api is a package that application developers and library authors use to instrument their application/library. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of tracestate and traceparent...

GHSA-8785-WC3W-H8Q6 OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package

Impact What kind of vulnerability is it? Who is impacted? A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving the...

OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package

Impact What kind of vulnerability is it? Who is impacted? A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving the...

CVE-2025-27513 OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package

OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these...

CVE-2025-27513 OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package

OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these...

CVE-2025-27513

OpenTelemetry.Api (OpenTelemetry .NET) version 1.10.0–1.11.1 is vulnerable to a DoS via tracestate/traceparent headers, causing high CPU and degraded performance. The issue is fixed in 1.11.2; upgrading is recommended. If not upgrading, exposed web/backend services processing such HTTP headers ma...

CVE-2025-27513 OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package

OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these...

Linux Distros Unpatched Vulnerability : CVE-2023-47108

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary...

OpenTelemetry .NET 安全漏洞

OpenTelemetry .NET is the .NET client for OpenTelemetry from OpenTelemetry, Inc. A security vulnerability exists in OpenTelemetry .NET versions 1.10.0 through 1.11.1 that stems from improper handling of headers, resulting in a denial of service attack...

Linux Distros Unpatched Vulnerability : CVE-2023-45142

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.useragent and http.meth...

Linux Distros Unpatched Vulnerability : CVE-2024-42368

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry da...

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_traces_proto_ng() at opentelemetry_prot.c.

...

CVE-2024-50609

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access to the...

AZL-57078 CVE-2024-50609 affecting package fluent-bit for versions less than 3.1.9-3

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access to the...

AZL-57086 CVE-2024-50609 affecting package fluent-bit for versions less than 3.0.6-2

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access to the...