How severe is CVE-2024-42368?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-42368?

This is classified as CWE-208, which is a common weakness in software security.

CVE-2024-42368 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0

Related Vulnerabilities

CVE-2024-22340

MEDIUM

CVSS:6.5(Medium)

IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow a remote attacker to obtain sensitive information during the creation of ECDSA signatures to perform a timing-based attack.

CWE-2082024

CVE-2024-23953

MEDIUM

CVSS:6.5(Medium)

Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an author...

CWE-2082024

CVE-2024-41828

MEDIUM

CVSS:6.5(Medium)

In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time

CWE-2082024

CVE-2021-34337

MEDIUM

CVSS:6.3(Medium)

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrar...

CWE-2082021

CVE-2016-10535

MEDIUM

CVSS:5.9(Medium)

csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enab...

CWE-2082016

CVE-2019-13420

MEDIUM

CVSS:5.9(Medium)

Search Guard versions before 21.0 had an timing side channel issue when using the internal user database.

CWE-2082019