OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
Weakness
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Opentelemetry | Opentelemetry | * | 1.42.0 (excluding) |
| Opentelemetry | Opentelemetry | 1.43.0 (including) | 1.43.0 (including) |