4 matches found
CVE-2023-39951
CVE-2023-39951 affects OpenTelemetry Java Instrumentation prior to 1.28.0. When instrumenting AWS SDK v2 calls to SES v1, the request query parameters are inserted into the trace url.path, causing the HTTP body (subject and message) to be exposed in telemetry backends. This information disclosure...
CVE-2026-33701
OpenTelemetry Java instrumentation (opentelemetry-javaagent) contains an unsafe deserialization flaw in its RMI integration prior to version 2.26.1. If the agent is attached on a JDK 16 or earlier, and an RMI/JMX port is network-reachable with a gadget-chain–compatible library on the application ...
CVE-2026-54712
OpenTelemetry Java Instrumentation prior to 2.27.0 is affected. The issue resides in the RMI context propagation payload reader, which limits the number of context entries but does not limit the aggregate size of strings read, allowing an attacker who can reach a network-reachable RMI endpoint to...
CVE-2026-54704
OpenTelemetry Java Instrumentation contains a vulnerability in JDBC auto-instrumentation prior to version 2.28.0 where passwords in SQL CONNECT statements may not be sanitized if the password is double-quoted. This can cause clear-text database passwords to be added to trace spans and exported to...