x/vulndb: potential Go vuln in github.com/open-telemetry/opentelemetry-collector-contrib: CVE-2024-45043

[GoVulnBot]

Advisory CVE-2024-45043 references a vulnerability in the following Go modules:

Module
github.com/open-telemetry/opentelemetry-collector-contrib

Description:
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header X-Amz-Firehose-Access-Key with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming reque...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45043
• FIX: [receiver/awsfirehose]: Fix access key validation open-telemetry/opentelemetry-collector-contrib#34847
• FIX: [receiver/awsfirehose] Add AWS Firehose receiver to contrib manifest. open-telemetry/opentelemetry-collector-releases#74
• WEB: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http
• WEB: https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html
• WEB: https://github.com/open-telemetry/opentelemetry-collector#alpha
• WEB: GHSA-prf6-xjxh-p698
• WEB: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver
• WEB: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0
• WEB: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/open-telemetry/opentelemetry-collector-contrib
      vulnerable_at: 0.108.0
summary: CVE-2024-45043 in github.com/open-telemetry/opentelemetry-collector-contrib
cves:
    - CVE-2024-45043
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45043
    - fix: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34847
    - fix: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/74
    - web: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-http
    - web: https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html
    - web: https://github.com/open-telemetry/opentelemetry-collector#alpha
    - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-prf6-xjxh-p698
    - web: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver
    - web: https://github.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0
    - web: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
source:
    id: CVE-2024-45043
    created: 2024-08-28T22:01:19.423541684Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/609141 mentions this issue: data/reports: add 21 unreviewed reports