chore(deps): update dependency opentelemetry.instrumentation.http to v1.8.1 [security] (master) #161

Open

renovate-bot wants to merge 1 commit from renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability into master

pull from: renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

merge into: wonderking:master

wonderking:master

wonderking:125-game-server-registration

wonderking:renovate/master-.net-opentelemetry

wonderking:renovate/master-dotnet-sdk-8.x

wonderking:renovate/master-entity-framework-core

wonderking:renovate/master-meziantou.analyzer-2.x

wonderking:renovate/master-major-.net-dotnext

wonderking:renovate/master-masstransit

wonderking:renovate/master-catthehacker-ubuntu-act-latest

wonderking:renovate/master-npgsql.opentelemetry-8.x

wonderking:renovate/master-microsoft.visualstudio.threading.analyzers-17.x

wonderking:renovate/master-konscious.security.cryptography.argon2-1.x

wonderking:renovate/master-dependencytrack-gh-upload-sbom-3.x

wonderking:renovate/master-major-github-artifact-actions

wonderking:renovate/master-actions-setup-dotnet-4.x

wonderking:renovate/master-actions-checkout-4.x

wonderking:renovate/master-dependencytrack-gh-upload-sbom-2.x

wonderking:migrate2efcore

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate-bot commented 2024-04-19 06:00:50 +00:00

Member

Copy link

This PR contains the following updates:

Package	Type	Update	Change
OpenTelemetry.Instrumentation.Http (source)	nuget	minor	1.7.1 -> 1.8.1

---

Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

CVE-2024-32028 / GHSA-vh2m-22xx-q94f

More information

Details

Impact

OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans (Activity) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans (Activity) when tracing is enabled for incoming http requests.

These attributes are defined by the Semantic Conventions for HTTP Spans.

Up until the 1.8.1 the values written by OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.

Note: Older versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore may use different tag names but have the same vulnerability.

Resolution

The 1.8.1 versions of OpenTelemetry.Instrumentation.Http & OpenTelemetry.Instrumentation.AspNetCore will now redact by default all values detected on transmitted or received query strings.

Example transmitted or received query sting:

?key1=value1&key2=value2

Example of redacted value written on telemetry:

?key1=Redacted&key2=Redacted

Severity

• CVSS Score: 4.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References

• https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
• https://nvd.nist.gov/vuln/detail/CVE-2024-32028
• https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42
• https://github.com/open-telemetry/opentelemetry-dotnet
• https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [OpenTelemetry.Instrumentation.Http](https://opentelemetry.io/) ([source](https://github.com/open-telemetry/opentelemetry-dotnet)) | nuget | minor | `1.7.1` -> `1.8.1` | --- ### Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore [CVE-2024-32028](https://nvd.nist.gov/vuln/detail/CVE-2024-32028) / [GHSA-vh2m-22xx-q94f](https://github.com/advisories/GHSA-vh2m-22xx-q94f) <details> <summary>More information</summary> #### Details ##### Impact `OpenTelemetry.Instrumentation.Http` writes the `url.full` attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and `OpenTelemetry.Instrumentation.AspNetCore` writes the `url.query` attribute/tag on spans (`Activity`) when tracing is enabled for incoming http requests. These attributes are defined by the [Semantic Conventions for HTTP Spans](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md). Up until the `1.8.1` the values written by `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents. Note: Older versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` may use different tag names but have the same vulnerability. ##### Resolution The `1.8.1` versions of `OpenTelemetry.Instrumentation.Http` & `OpenTelemetry.Instrumentation.AspNetCore` will now redact by default all values detected on transmitted or received query strings. Example transmitted or received query sting: `?key1=value1&key2=value2` Example of redacted value written on telemetry: `?key1=Redacted&key2=Redacted` #### Severity - CVSS Score: 4.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` #### References - [https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f](https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f) - [https://nvd.nist.gov/vuln/detail/CVE-2024-32028](https://nvd.nist.gov/vuln/detail/CVE-2024-32028) - [https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42](https://github.com/open-telemetry/opentelemetry-dotnet/commit/e222ecb5942d4ce1cadfd4306c39e3f4933a5c42) - [https://github.com/open-telemetry/opentelemetry-dotnet](https://github.com/open-telemetry/opentelemetry-dotnet) - [https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-vh2m-22xx-q94f) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMDIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjMwMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbInNlY3VyaXR5Il19-->

renovate-bot added 1 commit 2024-04-19 06:00:50 +00:00

chore(deps): update dependency opentelemetry.instrumentation.http to v1.8.1 [security] ... f64c63eac5

Signed-off-by: noreply@rainote.dev

All checks were successful

Hide all checks

PR Workflow / preprocess (pull_request) Successful in 3s

Details

PR Workflow / build (pull_request) Successful in 35s

Details

PR Workflow / sbom-scan (pull_request) Successful in 39s

Details

PR Workflow / generate-licences (pull_request) Successful in 1m5s

Details

PR Workflow / container-build (pull_request) Successful in 1m34s

Details

PR Workflow / container-sbom-scan (pull_request) Successful in 36s

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability:renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git checkout renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout master

git merge --no-ff renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git checkout renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git rebase master

git checkout master

git merge --ff-only renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git checkout renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git rebase master

git checkout master

git merge --no-ff renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git checkout master

git merge --squash renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git checkout master

git merge --ff-only renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git checkout master

git merge renovate/master-nuget-OpenTelemetry.Instrumentation.Http-vulnerability

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Kind/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

Kind/Breaking

Kind/Bug

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wonderking/continuity#161

No description provided.