Opentelemetry Go
Approved changes feed: RSS · Atom
cpe:2.3:a:open-telemetry:opentelemetry-go:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Open Telemetry (e0933b97-2767-54e8-948d-aac7569a5839) |
|---|---|
| Product | Opentelemetry Go (5f1a1eaf-d428-50ee-9ae4-e179bf7e1859) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-39883 |
vulnerable | 2026-06-03 15:22:13.240489 |
OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
Published: 2026-04-08T20:26:41.731Z
Updated: 2026-04-10T20:52:54.819Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-39882 |
vulnerable | 2026-06-03 15:22:13.231741 |
OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
MEDIUM (5.3)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
Published: 2026-04-08T20:24:19.246Z
Updated: 2026-04-09T20:22:03.109Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29181 |
vulnerable | 2026-06-03 15:19:22.975955 |
OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
HIGH (7.5)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
Published: 2026-04-07T20:29:13.933Z
Updated: 2026-04-08T15:37:02.444Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-24051 |
vulnerable | 2026-06-03 15:16:51.276704 |
OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking
HIGH (7)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Published: 2026-02-02T19:49:10.038Z
Updated: 2026-02-03T14:54:41.668Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.