This repository contains the OpenSearch adaptation for the OpenTelemetry Astronomy Shop, a microservice-based distributed system intended to illustrate the implementation of OpenTelemetry in a near real-world environment.
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.aspnetcore/1.5.1-beta.1/opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.aspnetcore/1.5.1-beta.1/opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.
dblock
commented
2 months ago
ASP.NET Core instrumentation for OpenTelemetry .NET
Library home page: https://api.nuget.org/packages/opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.aspnetcore/1.5.1-beta.1/opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
Found in HEAD commit: de73c8b6e42eb87e8f3abc02dbfb4a71a6d2f028
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-32028
### Vulnerable Library - opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkgASP.NET Core instrumentation for OpenTelemetry .NET
Library home page: https://api.nuget.org/packages/opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
Path to dependency file: /src/cartservice/src/cartservice.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/opentelemetry.instrumentation.aspnetcore/1.5.1-beta.1/opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg
Dependency Hierarchy: - :x: **opentelemetry.instrumentation.aspnetcore.1.5.1-beta.1.nupkg** (Vulnerable Library)
Found in HEAD commit: de73c8b6e42eb87e8f3abc02dbfb4a71a6d2f028
Found in base branch: main
### Vulnerability DetailsOpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-04-12
URL: CVE-2024-32028
### CVSS 3 Score Details (4.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
Release Date: 2024-04-12
Fix Resolution: OpenTelemetry.Instrumentation.Http - 1.8.1, OpenTelemetry.Instrumentation.AspNetCore - 1.8.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.