opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
Summary The Sentry exporter constructs Sentry API URLs by interpolating the span's service.name resource attribute into the URL path without validation. Because service.name is controlled by remote OTLP senders and the operator-configured bearer token is attached to every request, a crafted service name can reach arbitrary Sentry API endpoints reachable by that token — including privileged admin, organization, and member endpoints within the configured Sentry organization. Affected exporter/sentryexporter/sentry_exporter.go (lines 715–737) …