CVE-2023-47108

7.5 HIGH
Published: November 10, 2023 Modified: October 28, 2025
View on NVD

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327
Source: security-advisories@github.com
Product
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138
Source: security-advisories@github.com
Product
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/04c5dcbb5b35f14b4e6793b245919c72addbc7d0
Source: security-advisories@github.com
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
Source: security-advisories@github.com
Patch
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw
Source: security-advisories@github.com
Vendor Advisory
https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider
Source: security-advisories@github.com
Product
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327
Source: af854a3a-2127-422b-91ae-364da2661108
Product
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138
Source: af854a3a-2127-422b-91ae-364da2661108
Product
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking Patch
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider
Source: af854a3a-2127-422b-91ae-364da2661108
Product

13 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
4.3%
88th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-770

Affected Vendors

opentelemetry

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3