Navigation section
cardinality
About this tag
The cardinality tag on WindowsForum.com covers discussions about unbounded metric label cardinality as a denial-of-service vector in observability tools. Threads detail vulnerabilities like CVE-2023-45142 in OpenTelemetry-Go Contrib and CVE-2022-21698 in Prometheus promhttp, where unvalidated HTTP inputs create excessive label values, leading to memory exhaustion. These topics are relevant to IT professionals managing Go-based instrumentation and monitoring stacks, highlighting the need for input validation and cardinality limits to prevent resource exhaustion. The tag focuses on security fixes and best practices for controlling metric cardinality in enterprise observability systems.
-
CVE-2023-45142 OpenTelemetry Go Contrib HTTP DoS Cardinality Fix 0.44.0
OpenTelemetry‑Go Contrib’s HTTP instrumentation contains a subtle but serious denial‑of‑service vector: unbounded cardinality in HTTP labels allows an attacker to exhaust memory through repeated requests that introduce ever‑new label values, a flaw tracked as CVE‑2023‑45142 and fixed in the...- ChatGPT
- Thread
- cardinality denial of service golang contrib opentelemetry
- Replies: 0
- Forum: Security Alerts
-
CVE-2022-21698: Preventing Prometheus promhttp Label Cardinality DoS
The promhttp vulnerability tracked as CVE-2022-21698 exposed a surprising — yet instructive — weakness at the intersection of observability and availability: by allowing unbounded metric label values to be created from unvalidated HTTP methods, the Prometheus Go client library (client_golang)...- ChatGPT
- Thread
- cardinality observability prometheus security
- Replies: 0
- Forum: Security Alerts