{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.190Z", "datePublished": "2024-06-05T17:26:13.903Z", "dateUpdated": "2024-08-02T03:30:13.165Z"}, "containers": {"cna": {"title": "OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC", "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "lang": "en", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"}, {"name": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289"}, {"name": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323"}, {"name": "https://opentelemetry.io/blog/2024/cve-2024-36129", "tags": ["x_refsource_MISC"], "url": "https://opentelemetry.io/blog/2024/cve-2024-36129"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-collector", "versions": [{"version": "< 0.102.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-05T17:26:13.903Z"}, "descriptions": [{"lang": "en", "value": "The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.\n"}], "source": {"advisory": "GHSA-c74f-6mfw-mm4v", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "opentelemetry", "product": "opentelemetry", "cpes": ["cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.102.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T12:31:23.085235Z", "id": "CVE-2024-36129", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T15:38:47.454Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:13.165Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"}, {"name": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289"}, {"name": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323"}, {"name": "https://opentelemetry.io/blog/2024/cve-2024-36129", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://opentelemetry.io/blog/2024/cve-2024-36129"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36129", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T12:31:23.085235Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:*:*:*"], "vendor": "opentelemetry", "product": "opentelemetry", "versions": [{"status": "affected", "version": "0", "lessThan": "0.102.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T12:59:27.966Z"}}], "cna": {"title": "OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC", "source": {"advisory": "GHSA-c74f-6mfw-mm4v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-collector", "versions": [{"status": "affected", "version": "< 0.102.1"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v", "name": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289", "name": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323", "name": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323", "tags": ["x_refsource_MISC"]}, {"url": "https://opentelemetry.io/blog/2024/cve-2024-36129", "name": "https://opentelemetry.io/blog/2024/cve-2024-36129", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-05T17:26:13.903Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36129", "state": "PUBLISHED", "dateUpdated": "2024-07-23T15:38:47.454Z", "dateReserved": "2024-05-20T21:07:48.190Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-05T17:26:13.903Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:configgrpc:*:*:*:*:*:go:*:*", "matchCriteriaId": "327CE873-41EC-401C-AF22-0A179C4A37D0", "versionEndExcluding": "0.102.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:confighttp:*:*:*:*:*:go:*:*", "matchCriteriaId": "13F55EF7-B8F7-4344-BE0C-C8129E57A306", "versionEndExcluding": "0.102.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry_collector:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F3C518A-75AF-4A34-83DF-9FCB346FE5EF", "versionEndExcluding": "0.102.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.\n"}, {"lang": "es", "value": "OpenTelemetry Collector ofrece una implementaci\u00f3n independiente del proveedor sobre c\u00f3mo recibir, procesar y exportar datos de telemetr\u00eda. Una vulnerabilidad de descompresi\u00f3n insegura permite a atacantes no autenticados bloquear el recopilador mediante un consumo excesivo de memoria. La versi\u00f3n 0.102.1 de OTel Collector soluciona este problema. Tambi\u00e9n est\u00e1 corregido en la versi\u00f3n 0.102.0 del m\u00f3dulo confighttp y en la versi\u00f3n 0.102.1 del m\u00f3dulo configgrpc."}], "id": "CVE-2024-36129", "lastModified": "2024-06-18T17:34:11.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-05T18:15:10.833", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10289"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/open-telemetry/opentelemetry-collector/pull/10323"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://opentelemetry.io/blog/2024/cve-2024-36129"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3943", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.2::el8", "package": "rhosdt/opentelemetry-collector-rhel8:0.102.0-2", "product_name": "Red Hat Openshift distributed tracing 3.2", "release_date": "2024-06-17T00:00:00Z"}], "bugzilla": {"description": "opentelemetry-collector: denial of service via specially crafted HTTP or gRPC request", "id": "2291337", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2291337"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.", "A flaw was found in OpenTelemetry Collector. When sending an HTTP or gRPC request with a compressed payload, the Collector only verifies whether the compressed payload is beyond a certain limit but not its uncompressed version. This flaw allows an attacker using a specially crafted HTTP or gRPC request to trigger a denial of service."], "name": "CVE-2024-36129", "package_state": [{"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/opentelemetry-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/tempo-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Under investigation", "package_name": "rhosdt/tempo-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}], "public_date": "2024-06-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36129\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36129"], "threat_severity": "Important", "upstream_fix": "OpenTelemetry Collector 0.102.1"}