{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T06:22:32.904","vulnerabilities":[{"cve":{"id":"CVE-2024-42368","sourceIdentifier":"security-advisories@github.com","published":"2024-08-13T20:15:08.447","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector's telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in  0.107.0"},{"lang":"es","value":"OpenTelemetry, también conocido como OTel, es un framework de observabilidad de código abierto, independiente del proveedor, para instrumentar, generar, recopilar y exportar datos de telemetría, como seguimientos, métricas y registros. El autenticador del servidor de la extensión Bearertokenauth realiza una comparación de cadenas de tiempo simple y no constante de los tokens de portador recibidos y configurados. Esto afecta a cualquiera que utilice el autenticador del servidor \"bearertokenauth\". Los clientes malintencionados con acceso a la red del recopilador pueden realizar un ataque de sincronización contra un recopilador con este autenticador para adivinar el token configurado, enviando tokens de forma iterativa y comparando el tiempo de respuesta. Esto permitiría a un atacante introducir datos falsos o incorrectos en el canal de telemetría del recopilador. La vulnerabilidad de tiempo observable se solucionó mediante el uso de comparación de tiempo constante en 0.107.0"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-208"}]}],"references":[{"url":"https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a","source":"security-advisories@github.com"},{"url":"https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516","source":"security-advisories@github.com"},{"url":"https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv","source":"security-advisories@github.com"}]}}]}