5 matches found
GHSA-394X-VWMW-CRM3 AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN
Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CN Common Name validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid D...
GHSA-5R5M-65GX-7VRH otelhttp and otelbeego have DoS vulnerability for high cardinality metrics
Impact The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration instruments. The ServerRequest...
Design/Logic Flaw
opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength,...
CVE-2023-25151
CVE-2023-25151 affects opentelemetry-go-contrib's otelhttp (v0.38.0) where ServerRequest records http.target as the full request URI (including query string). This causes high cardinality of metrics (http.server.request_content_length, http.server.response_content_length, http.server.duration) an...
Open Policy Agent Denial of Service Vulnerability
Open Policy Agent is a general-purpose policy engine that enables unified, context-aware policy enforcement across the stack. v0.39.0 of Open Policy Agent is vulnerable to a denial-of-service vulnerability that stems from an application misinterpreting each expression, triggering out-of-scope...