CVE-2023-47108

Aliases:GHSA-8pgv-569h-w5rwGO-2023-2331
Advisory lineage Upstream: 0 Downstream: 21
Modified
Published: 10 Nov 2023, 18:31
Last modified:28 Oct 2025, 18:22

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
4.3% LOW
4% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

10 Nov 2023, 18:31
Published
Vulnerability first disclosed
28 Oct 2025, 18:22
Last Modified
Vulnerability information updated

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 4.30% Percentile: 89%

Techniques & Countermeasures

  • CWE-770Allocation of Resources Without Limits or Throttling

    The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpcotelgrpc

    ≥ 0.37.0, < 0.46.0

  • open-telemetryopentelemetry-go-contrib

    ≥ 0.37.0, < 0.46.0

  • opentelemetryopentelemetry

    < 0.46.0

References (9)