CVE-2023-43810: 
Python vulnerability analysis and mitigation

OpenTelemetry (OTel), a vendor-neutral open-source Observability framework for instrumenting, generating, collecting, and exporting telemetry data, was found to have a vulnerability in its auto-instrumentation feature (CVE-2023-43810). The vulnerability was discovered in versions prior to 0.41b0, where the HTTP method label had unbound cardinality, potentially leading to server memory exhaustion. The issue was disclosed and patched in August 2023 (GitHub Advisory).

The vulnerability stems from the auto-instrumentation feature that adds the 'http_method' label without proper bounds checking. When processing HTTP requests, the system would accept and store any arbitrary HTTP method value, including randomly generated long strings. This implementation flaw could be exploited by sending numerous requests with random, lengthy HTTP methods, causing unbounded memory growth. The issue has been assigned a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability primarily affects the availability of systems using OpenTelemetry instrumentation for HTTP handlers. When exploited, it can lead to memory exhaustion of the server, potentially causing service disruption. The impact is particularly significant for systems that do not filter unknown HTTP methods at the CDN, load balancer, or middleware level (GitHub Advisory).

The vulnerability has been patched in version 0.41b0. The fix involves marking non-standard HTTP methods with the label 'NONSTANDARD' by default, preventing cardinality explosion. For users who need to capture all HTTP method names, a new environment variable 'OTELPYTHONINSTRUMENTATIONHTTPCAPTUREALLMETHODS' has been introduced. When set to true, it allows the recording of all HTTP method names (GitHub Patch).