admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 01:02:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-423xx/CVE-2024-42368.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

68 lines
3.6 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-42368",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-08-13T20:15:08.447",
"lastModified": "2024-08-14T02:07:05.410",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0"
},
{
"lang": "es",
"value": "OpenTelemetry, tambi\u00e9n conocido como OTel, es un framework de observabilidad de c\u00f3digo abierto, independiente del proveedor, para instrumentar, generar, recopilar y exportar datos de telemetr\u00eda, como seguimientos, m\u00e9tricas y registros. El autenticador del servidor de la extensi\u00f3n Bearertokenauth realiza una comparaci\u00f3n de cadenas de tiempo simple y no constante de los tokens de portador recibidos y configurados. Esto afecta a cualquiera que utilice el autenticador del servidor \"bearertokenauth\". Los clientes malintencionados con acceso a la red del recopilador pueden realizar un ataque de sincronizaci\u00f3n contra un recopilador con este autenticador para adivinar el token configurado, enviando tokens de forma iterativa y comparando el tiempo de respuesta. Esto permitir\u00eda a un atacante introducir datos falsos o incorrectos en el canal de telemetr\u00eda del recopilador. La vulnerabilidad de tiempo observable se solucion\u00f3 mediante el uso de comparaci\u00f3n de tiempo constante en 0.107.0"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "LOW"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-208"
}
]
}
],
"references": [
{
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink