CVE-2023-47108: 
Docker vulnerability analysis and mitigation

OpenTelemetry-Go Contrib's grpc Unary Server Interceptor, prior to version 0.46.0, contained a vulnerability where it adds labels net.peer.sock.addr and net.peer.sock.port with unbound cardinality. This vulnerability was assigned CVE-2023-47108 and was discovered in November 2023. The issue affects the OpenTelemetry-Go Contrib package, specifically the instrumentation for gRPC (GitHub Advisory).

The vulnerability exists in the grpc Unary Server Interceptor which automatically adds network peer labels (net.peer.sock.addr and net.peer.sock.port) to metrics without any cardinality limits. The issue has been assigned a CVSS v3.1 score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can lead to server memory exhaustion through malicious requests. An attacker can flood the server with requests using different peer addresses and ports, causing unbounded memory growth as each unique combination creates new metric labels (GitHub Advisory).

There are two recommended workarounds for affected versions: 1) Use a view to remove the problematic attributes, or 2) Disable gRPC metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. The vulnerability has been fixed in version 0.46.0 by removing the high cardinality attributes from the metrics (GitHub Advisory).