Description
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.
References (4)
Core 4
Core References
Patch x_refsource_misc
https://github.com/open-telemetry/opentelemetry-collector/pull/10289
Patch x_refsource_misc
https://github.com/open-telemetry/opentelemetry-collector/pull/10323
Vendor Advisory x_refsource_misc
https://opentelemetry.io/blog/2024/cve-2024-36129
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
Scores
CVSS v3
8.2
EPSS
0.0240
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-119
Status
published
Products (5)
collector/config
0 - 0.102.0Go
collector/config
0 - 0.102.1Go
opentelemetry/configgrpc
< 0.102.1
opentelemetry/confighttp
< 0.102.0
opentelemetry/opentelemetry_collector
< 0.102.1
Published
Jun 05, 2024
Tracked Since
Feb 18, 2026