CVE-2023-25151

A flaw was found in opentelemetry-go. The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration...

GHSA-5R5M-65GX-7VRH otelhttp and otelbeego have DoS vulnerability for high cardinality metrics

Impact The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration instruments. The ServerRequest...

Design/Logic Flaw

opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength,...

CVE-2023-25151

CVE-2023-25151 affects opentelemetry-go-contrib's otelhttp (v0.38.0) where ServerRequest records http.target as the full request URI (including query string). This causes high cardinality of metrics (http.server.request_content_length, http.server.response_content_length, http.server.duration) an...

Redwood is vulnerable to account takeover via dbAuth "forgot-password"

Impact What kind of vulnerability is it? Who is impacted? This is an API vulnerability in Redwood's dbAuth, specifically the dbAuth forgot password feature: - only projects with the dbAuth "forgot password" feature are affected - this vulnerability was introduced in v0.38.0 User Accounts are...