Auth bypass in Open-telemetry Opentelemetry-collector-contrib
CVE-2024-45043
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated…
Vulnerability class: Information Disclosure
EPSS: 0.006 (69.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Open-telemetry Opentelemetry-collector-contrib — versions >= 0.49.0, < 0.108.0
Weakness classification (CWE)
References
- https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698 (x_refsource_CONFIRM)
- https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847 (x_refsource_MISC)
- https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74 (x_refsource_MISC)
- https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http (x_refsource_MISC)
- https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html (x_refsource_MISC)
- https://github.com/open-telemetry/opentelemetry-collector#alpha (x_refsource_MISC)
- https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver (x_refsource_MISC)
- https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0 (x_refsource_MISC)
- https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-45043?
- CVE-2024-45043 is a medium-severity vulnerability in Open-telemetry Opentelemetry-collector-contrib, classified under Information Disclosure. CVSS score: 5.3/10. Published 2024-08-28.
- How severe is CVE-2024-45043?
- Medium severity. CVSS v3 base score is 5.3 out of 10.