CVE-2023-47108

DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 2.74% Top 15%
Vendor Advisory github.com
Affected: open-telemetry opentelemetry-go-contrib
Published at:
Updated at:

References

Link Tags
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw vendor advisory
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322 issue tracking patch
https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b patch
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327 product
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138 product
https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider product

Frequently Asked Questions

What is the severity of CVE-2023-47108?
CVE-2023-47108 has been scored as a high severity vulnerability.
How to fix CVE-2023-47108?
To fix CVE-2023-47108, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-47108 being actively exploited in the wild?
It is possible that CVE-2023-47108 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-47108?
CVE-2023-47108 affects open-telemetry opentelemetry-go-contrib.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.