Vulnerability Details CVE-2024-36129
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.5%
CVSS Severity
CVSS v3 Score 8.2
References
- https://github.com/open-telemetry/opentelemetry-collector/pull/10289
- https://github.com/open-telemetry/opentelemetry-collector/pull/10323
- https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
- https://opentelemetry.io/blog/2024/cve-2024-36129
- https://github.com/open-telemetry/opentelemetry-collector/pull/10289
- https://github.com/open-telemetry/opentelemetry-collector/pull/10323
- https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
- https://opentelemetry.io/blog/2024/cve-2024-36129
Products affected by CVE-2024-36129
-
cpe:2.3:a:opentelemetry:configgrpc:*
-
cpe:2.3:a:opentelemetry:confighttp:*
-
cpe:2.3:a:opentelemetry:opentelemetry_collector:*