CVE-2024-45043

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key...

CVE-2024-45043 OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key...

CVE-2024-45043

CVE-2024-45043 – OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Affected component: OpenTelemetry Collector Contrib awsfirehosereceiver (alpha module). Issue: when configured to require an access key (X-Amz-Firehose-Access-Key), the receiver still accepts requests with no key...

CVE-2024-45043 OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key...

CVE-2024-45043 OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key...

OpenTelemetry Collector 安全漏洞

OpenTelemetry Collector is a software from the OpenTelemetry project for receiving, processing, and exporting telemetry data. A security vulnerability exists in OpenTelemetry Collector that originates from allowing unauthenticated remote requests...

CVE-2024-42368

A vulnerability was found in OpenTelemetry, specifically in the github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension. This flaw impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform...

OpenTelemetry Collector < 0.107.0 Timing Discrepancy

The OpenTelemetry Collector running on the remote host is prior to 0.107.0. It is, therefore, affected by a timing discrepancy vulnerability, outlined below: The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured...

Timing Attack

github.com/open-telemetry/opentelemetry-collector-contrib is vulnerable to Timing Attack. The vulnerability is due to the improper implementation of non-constant time string comparison in the bearertokenauth server authenticator, which allows attackers to infer the correct bearer token based on...

CVE-2024-42368

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

CVE-2024-42368

The CVE-2024-42368 issue affects the bearertokenauth server authenticator in OpenTelemetry Collector contributions. A timing-discrepancy arises from non-constant time string comparisons of bearer tokens, enabling a network-adjacent attacker to infer the configured token by measuring response time...

CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

OpenTelemetry 安全漏洞

OpenTelemetry is a vendor-neutral, open source observability framework open-sourced by OpenTelemetry. A security vulnerability exists in OpenTelemetry versions 0.80.0 through prior to 0.107.0, which stems from the possibility that a malicious client with network access to a collector could perfor...

PT-2024-29902

Name of the Vulnerable Software and Affected Versions OpenTelemetry versions prior to 0.107.0 Description OpenTelemetry is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data. The bearertokenauth extension's server...

This Week in Spring - August 6th, 2024

It's August! Egads, has that come quickly! AUGUST. The eigth month of the year, and we're almost done with the first week, in fact! It's not that I'm not grateful to be here, but, yah, wow that was quick. And, of course, the month of my all time double dutch favorite conference, SpringOne,...

Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2024-697)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-697 advisory. 2024-08-28: CVE-2024-24790 was added to this advisory. 2024-08-09: CVE-2023-47108 was removed from this advisory. 2024-08-09: The severity of this advisory has been changed from Important to...

GHSA-V23V-6JW2-98FQ vulnerabilities

Vulnerabilities for packages: flux, vexctl, tekton-chains, dagdotdev, cadvisor, docker-credential-gcr, kaniko, docker-compose, crossplane, rancher-fleet, flux-source-controller, traefik-fips, cosign, syft, dagger, cert-manager-cmctl-fips, guac, apko, argo-workflows, cert-manager-cmctl,...

GHSA-V23V-6JW2-98FQ vulnerabilities

Vulnerabilities for packages: cilium-cli, helm, neuvector-scanner, teleport, grype, gitsign, ctop, neuvector-sigstore-interface, k8sgpt, k3d, opentelemetry-collector, crossplane, helm-operator, k3s, buf, kubescape, tekton-chains, flux, policy-controller, vcluster, apko, dagdotdev, helm-push,...