CVE-2024-36129

EUVD-2024-2014
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue.  It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
opentelemetryconfiggrpc
𝑥
< 0.102.1
opentelemetryconfighttp
𝑥
< 0.102.0
opentelemetryopentelemetry_collector
𝑥
< 0.102.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
opentelemetryopentelemetry
𝑥
< 0.102.1
ADP
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
amazon-cloudwatch-agent
Amazon Linux 2
0:1.300044.0-1.amzn2
fixed
Amazon Linux 2023
0:1.300044.0-1.amzn2023
fixed