CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
37.8%
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc is vulnerable to Denial of Service. The vulnerability is caused by the grpc unary server interceptor having out of the box labels. The labels net.peer.sock.addr and net.peer.sock.port have unbound cardinality. This leads to potential memory exhaustion when many malicious requests are sent.
github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327
github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138
github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw
pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider