x/vulndb: potential Go vuln in github.com/open-telemetry/opentelemetry-collector-contrib: CVE-2024-45043 #3102
Description
Advisory CVE-2024-45043 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/open-telemetry/opentelemetry-collector-contrib |
Description:
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming reque...
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45043
- FIX: [receiver/awsfirehose]: Fix access key validation open-telemetry/opentelemetry-collector-contrib#34847
- FIX: [receiver/awsfirehose] Add AWS Firehose receiver to contrib manifest. open-telemetry/opentelemetry-collector-releases#74
- WEB: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http
- WEB: https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html
- WEB: https://github.com/open-telemetry/opentelemetry-collector#alpha
- WEB: GHSA-prf6-xjxh-p698
- WEB: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver
- WEB: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0
- WEB: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/open-telemetry/opentelemetry-collector-contrib
vulnerable_at: 0.108.0
summary: CVE-2024-45043 in github.com/open-telemetry/opentelemetry-collector-contrib
cves:
- CVE-2024-45043
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45043
- fix: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847
- fix: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74
- web: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http
- web: https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html
- web: https://github.com/open-telemetry/opentelemetry-collector#alpha
- web: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698
- web: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver
- web: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0
- web: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
source:
id: CVE-2024-45043
created: 2024-08-28T22:01:19.423541684Z
review_status: UNREVIEWED