x/vulndb: potential Go vuln in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension: GHSA-rfxf-mf63-cpqv

[GoVulnBot]

Advisory GHSA-rfxf-mf63-cpqv references a vulnerability in the following Go modules:

Module
github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension

Description:

Summary

The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens.

Details

https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/9128a9258fe1fee36f198f97b1e3371fc7b77a93/extension/bearertokenauthextension/bearertokenauth.go#L189-L196

For background on the type of vulnerability, see https://ropesec.com/articles/timing-attacks/.

Impact

This impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform...

References:

• ADVISORY: GHSA-rfxf-mf63-cpqv
• ADVISORY: GHSA-rfxf-mf63-cpqv
• FIX: open-telemetry/opentelemetry-collector-contrib@c9bd3ef
• FIX: [extension/bearertokenauth] use constant time comparison open-telemetry/opentelemetry-collector-contrib#34516

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension
      versions:
        - introduced: 0.80.0
        - fixed: 0.107.0
      vulnerable_at: 0.106.1
summary: open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension
cves:
    - CVE-2024-42368
ghsas:
    - GHSA-rfxf-mf63-cpqv
references:
    - advisory: https://github.com/advisories/GHSA-rfxf-mf63-cpqv
    - advisory: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv
    - fix: https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a
    - fix: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516
source:
    id: GHSA-rfxf-mf63-cpqv
    created: 2024-08-13T19:01:27.054339606Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/605315 mentions this issue: data/reports: add 7 unreviewed reports

[gopherbot]

Change https://go.dev/cl/606360 mentions this issue: data/reports: regenerate 8 reports