CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
16.3%
The bearertokenauth extension’s server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens.
For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/.
This impacts anyone using the bearertokenauth
server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector’s telemetry pipeline.
The observable timing vulnerability was fixed by @axw in v0.107.0 (PR https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516) by using constant-time comparison.
bearertokenauth
to network segments accessible by potential attackers, orbearertokenauth
Vendor | Product | Version | CPE |
---|---|---|---|
open-telemetry | opentelemetry-collector-contrib | * | cpe:2.3:a:open-telemetry:opentelemetry-collector-contrib:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-rfxf-mf63-cpqv
github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a
github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516
github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv
nvd.nist.gov/vuln/detail/CVE-2024-42368