CVE-2024-32028

Vulnerability Description

OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions for HTTP Spans. Up until version `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

Related Weaknesses (CWE)

References

• https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1ca
• https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-
• https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-
• https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1ca
• https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-
• https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-