CVE-2024-36129: Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.
References
- github.com/advisories/GHSA-c74f-6mfw-mm4v
- github.com/open-telemetry/opentelemetry-collector
- github.com/open-telemetry/opentelemetry-collector/pull/10289
- github.com/open-telemetry/opentelemetry-collector/pull/10323
- github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
- nvd.nist.gov/vuln/detail/CVE-2024-36129
- opentelemetry.io/blog/2024/cve-2024-36129
Code Behaviors & Features
Detect and mitigate CVE-2024-36129 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →