CVE-2024-32028: Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore
OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.
These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.
Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.
References
- github.com/advisories/GHSA-vh2m-22xx-q94f
- github.com/open-telemetry/opentelemetry-dotnet
- github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
- nvd.nist.gov/vuln/detail/CVE-2024-32028
Detect and mitigate CVE-2024-32028 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →