open-telemetry opentelemetry-dotnet up to 1.8.0 Query String improper removal of sensitive information before storage or transfer

Summaryinfo

A vulnerability classified as problematic has been found in open-telemetry opentelemetry-dotnet up to 1.8.0. This affects an unknown part of the component Query String Handler. This manipulation causes improper removal of sensitive information before storage or transfer. This vulnerability is handled as CVE-2024-32028. The attack can only be done within the local network. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability has been found in open-telemetry opentelemetry-dotnet up to 1.8.0 and classified as problematic. Affected by this vulnerability is some unknown processing of the component Query String Handler. The manipulation with an unknown input leads to a improper removal of sensitive information before storage or transfer vulnerability. The CWE definition for the vulnerability is CWE-212. The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. As an impact it is known to affect confidentiality. The summary by CVE is:

OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.

The advisory is shared at github.com. This vulnerability is known as CVE-2024-32028 since 04/09/2024. The exploitation appears to be easy. Access to the local network is required for this attack to succeed. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 1.8.1 eliminates this vulnerability. Applying the patch e222ecb5942d4ce1cadfd4306c39e3f4933a5c42 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• open-telemetry

Name

• opentelemetry-dotnet

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8.0

License

• open-source

Website

• Product: https://github.com/open-telemetry/opentelemetry-dotnet/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion