CVE-2024-32028 MEDIUM

CVE-2024-32028: Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

Vendor Open-Telemetry
Product opentelemetry-dotnet
Weakness CWE-212
Published April 12, 2024
Last update August 2, 2024

CVSS base score

4.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

April 12, 2024 CVE published
August 2, 2024 Record updated