Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@0.44.0
Typegolang
Namespacego.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful
Nameotelrestful
Version0.44.0
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-j28b-6m1n-2bdk
vulnerability_id VCID-j28b-6m1n-2bdk
summary 
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
### Summary

This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
out of the box adds labels

- `http.user_agent`
- `http.method`

that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.

### Details

HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses [httpconv.ServerRequest](https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159) that records every value for HTTP [method](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L204) and [User-Agent](https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223).

### PoC

Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.

### Impact

In order to be affected, the program has to configure a metrics pipeline, use [otelhttp.NewHandler](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65) wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.

### Others

It is similar to already reported vulnerabilities
- https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh ([open-telemetry/opentelemetry-go-contrib](https://github.com/open-telemetry/opentelemetry-go-contrib))
- https://github.com/advisories/GHSA-cg3q-j54f-5p7p ([prometheus/client_golang](https://github.com/prometheus/client_golang))

### Workaround for affected versions

As a workaround to stop being affected [otelhttp.WithFilter()](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/filters) can be used, but it requires manual careful configuration to not log certain requests entirely.

For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

The other possibility is to disable HTTP metrics instrumentation by passing [`otelhttp.WithMeterProvider`](https://pkg.go.dev/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp#WithMeterProvider) option with [`noop.NewMeterProvider`](https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider).

### Solution provided by upgrading

In PR https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277, released with package version 0.44.0, the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.

### References

- https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
- https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45142.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45142.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-45142
reference_id
reference_type
scores
0
value 0.01159
scoring_system epss
scoring_elements 0.7861
published_at 2026-04-16T12:55:00Z
1
value 0.01159
scoring_system epss
scoring_elements 0.78581
published_at 2026-04-13T12:55:00Z
2
value 0.01159
scoring_system epss
scoring_elements 0.7859
published_at 2026-04-12T12:55:00Z
3
value 0.01159
scoring_system epss
scoring_elements 0.78608
published_at 2026-04-18T12:55:00Z
4
value 0.01159
scoring_system epss
scoring_elements 0.78583
published_at 2026-04-09T12:55:00Z
5
value 0.01159
scoring_system epss
scoring_elements 0.78551
published_at 2026-04-07T12:55:00Z
6
value 0.01159
scoring_system epss
scoring_elements 0.78577
published_at 2026-04-08T12:55:00Z
7
value 0.01159
scoring_system epss
scoring_elements 0.78569
published_at 2026-04-04T12:55:00Z
8
value 0.01159
scoring_system epss
scoring_elements 0.78538
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-45142
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/advisories/GHSA-cg3q-j54f-5p7p
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-cg3q-j54f-5p7p
4
reference_url https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223
5
reference_url https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159
6
reference_url https://github.com/open-telemetry/opentelemetry-go-contrib
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go-contrib
7
reference_url https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
8
reference_url https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
9
reference_url https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
10
reference_url https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
11
reference_url https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-45142
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-45142
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2245180
reference_id 2245180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2245180
15
reference_url https://access.redhat.com/errata/RHSA-2023:7197
reference_id RHSA-2023:7197
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7197
16
reference_url https://access.redhat.com/errata/RHSA-2023:7198
reference_id RHSA-2023:7198
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7198
17
reference_url https://access.redhat.com/errata/RHSA-2023:7469
reference_id RHSA-2023:7469
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7469
18
reference_url https://access.redhat.com/errata/RHSA-2023:7470
reference_id RHSA-2023:7470
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7470
19
reference_url https://access.redhat.com/errata/RHSA-2023:7555
reference_id RHSA-2023:7555
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7555
20
reference_url https://access.redhat.com/errata/RHSA-2023:7599
reference_id RHSA-2023:7599
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7599
21
reference_url https://access.redhat.com/errata/RHSA-2023:7663
reference_id RHSA-2023:7663
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7663
22
reference_url https://access.redhat.com/errata/RHSA-2023:7681
reference_id RHSA-2023:7681
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7681
23
reference_url https://access.redhat.com/errata/RHSA-2023:7682
reference_id RHSA-2023:7682
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7682
24
reference_url https://access.redhat.com/errata/RHSA-2023:7831
reference_id RHSA-2023:7831
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7831
25
reference_url https://access.redhat.com/errata/RHSA-2024:0050
reference_id RHSA-2024:0050
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0050
26
reference_url https://access.redhat.com/errata/RHSA-2024:0204
reference_id RHSA-2024:0204
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0204
27
reference_url https://access.redhat.com/errata/RHSA-2024:0641
reference_id RHSA-2024:0641
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0641
28
reference_url https://access.redhat.com/errata/RHSA-2024:0642
reference_id RHSA-2024:0642
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0642
29
reference_url https://access.redhat.com/errata/RHSA-2024:0660
reference_id RHSA-2024:0660
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0660
30
reference_url https://access.redhat.com/errata/RHSA-2024:0766
reference_id RHSA-2024:0766
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0766
31
reference_url https://access.redhat.com/errata/RHSA-2024:0833
reference_id RHSA-2024:0833
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0833
32
reference_url https://access.redhat.com/errata/RHSA-2024:1328
reference_id RHSA-2024:1328
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1328
33
reference_url https://access.redhat.com/errata/RHSA-2024:1859
reference_id RHSA-2024:1859
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1859
34
reference_url https://access.redhat.com/errata/RHSA-2024:2773
reference_id RHSA-2024:2773
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2773
35
reference_url https://access.redhat.com/errata/RHSA-2024:4118
reference_id RHSA-2024:4118
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4118
36
reference_url https://access.redhat.com/errata/RHSA-2024:5433
reference_id RHSA-2024:5433
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5433
37
reference_url https://access.redhat.com/errata/RHSA-2024:6236
reference_id RHSA-2024:6236
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6236
38
reference_url https://access.redhat.com/errata/RHSA-2024:6811
reference_id RHSA-2024:6811
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6811
39
reference_url https://access.redhat.com/errata/RHSA-2024:7921
reference_id RHSA-2024:7921
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7921
fixed_packages
0
url pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@0.44.0
purl pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@0.44.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@0.44.0
aliases CVE-2023-45142, GHSA-rcjv-mgp8-qvmr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j28b-6m1n-2bdk
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:golang/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@0.44.0