Is CVE-2024-36129 actively exploited?

CVE-2024-36129 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2024-36129?

CVE-2024-36129 has a CVSS score of 8.2 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H.

How do I patch CVE-2024-36129?

Patch guidance is available from opentelemetry security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2024-36129.

Fix CVE-2024-36129 - HIGH opentelemetry configgrpc

Q: Which products are affected by CVE-2024-36129?

3 products: opentelemetry configgrpc, opentelemetry confighttp, opentelemetry opentelemetry collector.

Description

The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: high
Weaknesses: CWE-119 · Memory Buffer Errors CWE-119 · Memory Buffer Errors

Metadata

Primary Vendor: OPENTELEMETRY
Published: 6/5/2024
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

opentelemetry : configgrpcopentelemetry : confighttpopentelemetry : opentelemetry_collector

Remediation Guidance

Executive Summary

View on NIST NVD