CVE-2024-42368

Summary

CVE-2024-42368 is a timing vulnerability affecting the bearertokenauth extension's server authenticator in OpenTelemetry (OTel), an open-source observability framework. The flaw lies in the non-constant time string comparison of bearer tokens, which can be exploited by malicious clients to guess the configured token through timing attacks. Successful exploitation of this vulnerability allows attackers to inject fabricated or malicious data into the affected collector's telemetry pipeline, potentially compromising its integrity. The issue has been mitigated by implementing constant-time comparison in OTel version 0.107.0.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.