Back

CVE-2024-45043

Aug. 28, 2024, 8:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

OpenTelemetry Collector

  • v0.49.0 - v0.108.0

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-200
2024-08-28
CVE-2024-45043

CVE-2024-45043 details

Published : Aug. 28, 2024, 8:15 p.m.
Last Modified : Aug. 28, 2024, 8:15 p.m.

Description

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the “alpha” `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2 3 4 5.3 6 7 8 9 10

Weakness

Weakness Name Description
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

Base Score

5.3

Exploitability Score

3.9

Impact Score

1.4

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

URL Source
https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http security-advisories@github.com
https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector#alpha security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847 security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698 security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74 security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0 security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.