SCA: security update for go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful, go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin, go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux, go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho, go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron, go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace, go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (GHSA-rcjv-mgp8-qvmr)

high Tenable Cloud Security Plugin ID 418667

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper
out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to
the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-
Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library
internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In
order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown
HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this
issue when the values collected for attribute `http.request.method` were changed to be restricted to a set
of well-known values and other high cardinality attributes were removed. As a workaround to stop being
affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log
certain requests entirely. For convenience and safe usage of this library, it should by default mark with
the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do
not increase cardinality. In case someone wants to stay with the current behavior, library API should
allow to enable it. (CVE-2023-45142)

See Also

https://github.com/advisories/GHSA-rcjv-mgp8-qvmr

Plugin Details

Severity: High

ID: 418667

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-45142

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/16/2023

Vulnerability Publication Date: 10/12/2023

Reference Information

CVE: CVE-2023-45142

cwe: CWE-770