Closed renovate-bot closed 25 minutes ago
This PR was marked stale due to lack of activity. It will be closed in 7 days.
Closed as inactive. Feel free to reopen if this PR is still being worked on.
Because you closed this PR without merging, Renovate will ignore this update (1.8.1
). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps
array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
1.7.1
->1.8.1
GitHub Vulnerability Alerts
CVE-2024-32028
Impact
OpenTelemetry.Instrumentation.Http
writes theurl.full
attribute/tag on spans (Activity
) when tracing is enabled for outgoing http requests andOpenTelemetry.Instrumentation.AspNetCore
writes theurl.query
attribute/tag on spans (Activity
) when tracing is enabled for incoming http requests.These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the
1.8.1
the values written byOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.Note: Older versions of
OpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
may use different tag names but have the same vulnerability.Resolution
The
1.8.1
versions ofOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
will now redact by default all values detected on transmitted or received query strings.Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.