CVE-2023-47108: otelgrpc DoS vulnerability due to unbound cardinality metrics
(updated )
The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable for use in a grpc.NewServer call that has unbound cardinality. It leads to the server’s potential memory exhaustion when many malicious requests are sent.
References
- github.com/advisories/GHSA-8pgv-569h-w5rw
- github.com/open-telemetry/opentelemetry-go-contrib
- github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
- github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go
- github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0
- github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
- github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
- github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw
- nvd.nist.gov/vuln/detail/CVE-2023-47108
- pkg.go.dev/go.opentelemetry.io/otel/metric/noop
Code Behaviors & Features
Detect and mitigate CVE-2023-47108 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →