Vulnerability in Open-telemetry Opentelemetry-dotnet
CVE-2024-32028
OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is ena…
EPSS: 0.000 (12.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.1 (Medium). Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N.
Affected products
- Open-telemetry Opentelemetry-dotnet — versions < 1.8.1
Weakness classification (CWE)
References
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f (x_refsource_CONFIRM)
- https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42 (x_refsource_MISC)
- https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-32028?
- CVE-2024-32028 is a medium-severity vulnerability in Open-telemetry Opentelemetry-dotnet, classified under Improper Removal of Sensitive Information Before Storage or Transfer. CVSS score: 4.1/10. Published 2024-04-12.
- How severe is CVE-2024-32028?
- Medium severity. CVSS v3 base score is 4.1 out of 10.