SCA: security update for OpenTelemetry.Resources.Azure (GHSA-vc24-j8c5-2vw4)

medium Tenable Self-Hosted Container Security Plugin ID 441014

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions
1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance
metadata service and reads the response body into memory without any size limit. An attacker who controls
the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an
arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading
to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates
the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as
firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance
metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than
buffering them entirely in memory and ignores responses larger than 4 MiB. (CVE-2026-41483)

Solution

Update the OpenTelemetry.Resources.Azure library and its related packages to version 1.15.1-beta.1 or later.

See Also

https://github.com/advisories/GHSA-vc24-j8c5-2vw4

Plugin Details

Severity: Medium

ID: 441014

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/30/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-41483

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/29/2026

Vulnerability Publication Date: 4/29/2026

Reference Information

CVE: CVE-2026-41483

cwe: CWE-770