CVE-2024-36129

EUVD-2024-2014
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue.  It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
GitHub_MCNA
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
opentelemetryconfiggrpc
𝑥
< 0.102.1
opentelemetryconfighttp
𝑥
< 0.102.0
opentelemetryopentelemetry_collector
𝑥
< 0.102.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/open-telemetry/opentelemetry-collector/pull/10289
https://github.com/open-telemetry/opentelemetry-collector/pull/10323
https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
https://opentelemetry.io/blog/2024/cve-2024-36129
https://github.com/open-telemetry/opentelemetry-collector/pull/10289
https://github.com/open-telemetry/opentelemetry-collector/pull/10323
https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
https://opentelemetry.io/blog/2024/cve-2024-36129