Skip to main content
Version: latest

CVE-2023-45142

CVE Details

CVE-2023-45142

Last Update

10/10/2024

NIST CVE Summary

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and http.method that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.

Our Official Summary

CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+.

CVE Severity

7.5

Status

Ongoing

Affected Products & Versions

  • Palette VerteX airgap 4.4.14, 4.4.18
  • Palette Enterprise airgap 4.4.18

Revision History

  • 1.0 08/16/2024 Initial Publication
  • 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products
  • 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products
  • 4.0 10/10/2024 CVE remediated in Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3