Vulnerability Description
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opentelemetry | Configgrpc | < 0.102.1 |
| Opentelemetry | Confighttp | < 0.102.0 |
| Opentelemetry | Opentelemetry Collector | < 0.102.1 |
Related Weaknesses (CWE)
References
- https://github.com/open-telemetry/opentelemetry-collector/pull/10289Patch
- https://github.com/open-telemetry/opentelemetry-collector/pull/10323Patch
- https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHExploitThird Party Advisory
- https://opentelemetry.io/blog/2024/cve-2024-36129Vendor Advisory
- https://github.com/open-telemetry/opentelemetry-collector/pull/10289Patch
- https://github.com/open-telemetry/opentelemetry-collector/pull/10323Patch
- https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHExploitThird Party Advisory
- https://opentelemetry.io/blog/2024/cve-2024-36129Vendor Advisory
FAQ
What is CVE-2024-36129?
CVE-2024-36129 is a vulnerability with a CVSS score of 8.2 (HIGH). The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to cras...
How severe is CVE-2024-36129?
CVE-2024-36129 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-36129?
Check the references section above for vendor advisories and patch information. Affected products include: Opentelemetry Configgrpc, Opentelemetry Confighttp, Opentelemetry Opentelemetry Collector.