x/vulndb: potential Go vuln in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension: GHSA-rfxf-mf63-cpqv #3066
Labels
Comments
|
Change https://go.dev/cl/605315 mentions this issue: |
|
Change https://go.dev/cl/606360 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 19, 2024
- data/reports/GO-2024-2993.yaml - data/reports/GO-2024-2997.yaml - data/reports/GO-2024-3033.yaml - data/reports/GO-2024-3039.yaml - data/reports/GO-2024-2921.yaml - data/reports/GO-2024-2982.yaml - data/reports/GO-2024-3066.yaml - data/reports/GO-2024-3070.yaml Updates #2993 Updates #2997 Updates #3033 Updates #3039 Updates #2921 Updates #2982 Updates #3066 Updates #3070 Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Advisory GHSA-rfxf-mf63-cpqv references a vulnerability in the following Go modules:
Description:
Summary
The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens.
Details
https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196
For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/.
Impact
This impacts anyone using the
bearertokenauthserver authenticator. Malicious clients with network access to the collector may perform...References:
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: