SCA: security update for OpenTelemetry.Instrumentation.AspNetCore, OpenTelemetry.Instrumentation.Http (GHSA-vh2m-22xx-q94f)

medium Tenable Cloud Security Plugin ID 419340

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of
`OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes
attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and
`OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when
tracing is enabled for incoming http requests. These attributes are defined by the Semantic Conventions
for HTTP Spans. Up until version `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` &
`OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received
(respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information,
credentials, etc.) being leaked into telemetry backends (depending on the application(s) being
instrumented) which could cause privacy and/or security incidents. Note: Older versions of
`OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag
names but have the same vulnerability. The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` &
`OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted
or received query strings. Users are advised to upgrade. There are no known workarounds for this
vulnerability. (CVE-2024-32028)

See Also

https://github.com/advisories/GHSA-vh2m-22xx-q94f

Plugin Details

Severity: Medium

ID: 419340

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 2.7

Temporal Score: 2

Vector: CVSS2#AV:A/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2024-32028

CVSS v3

Risk Factor: Medium

Base Score: 4.1

Temporal Score: 3.6

Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/12/2024

Vulnerability Publication Date: 4/12/2024

Reference Information

CVE: CVE-2024-32028