Advisories for Pypi/Opentelemetry-Instrumentation package

2023

opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

Summary Autoinstrumentation out of the box adds the label http_method that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details HTTP method for requests can be easily set by an attacker to be random and long. PoC Send many requests with long randomly generated HTTP methods and observe how memory consumption increases during it.