Description

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0

INFO

Published Date :

2024-08-13T19:31:16.814Z

Last Modified :

2024-08-14T13:38:51.917Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-42368 vulnerability.

Vendors Products
Opentelemetry
  • Opentelemetry Collector Contrib
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-42368.

URL Resource
https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a cve-icon cve-icon cve-icon
https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516 cve-icon cve-icon cve-icon
https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-42368 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-42368 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact