Skip to content

Commit 3b1da1a

Browse files
xnoxxnox
committed
1 parent 47c51b3 commit 3b1da1a

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

advisories/github-reviewed/2026/02/GHSA-9h8m-3fm2-qjrq/GHSA-9h8m-3fm2-qjrq.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-9h8m-3fm2-qjrq",
4-
"modified": "2026-02-27T21:39:46Z",
4+
"modified": "2026-02-27T21:39:49Z",
55
"published": "2026-02-02T20:07:46Z",
66
"aliases": [
77
"CVE-2026-24051"
88
],
9-
"summary": "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking",
10-
"details": "### Impact\nThe OpenTelemetry Go SDK in version `v1.20.0`-`1.39.0` is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in `sdk/resource/host_id.go` executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.\n\n### Patches\nThis has been patched in [d45961b](https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53), which was released with `v1.40.0`.\n\n### References\n- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)",
9+
"summary": "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking on macOS (Darwin) only",
10+
"details": "### Impact\nThe OpenTelemetry Go SDK in version `v1.20.0`-`1.39.0` is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in `sdk/resource/host_id.go` executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.\n\nOn macOS (Darwin) only\n\n### Patches\nThis has been patched in [d45961b](https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53), which was released with `v1.40.0`.\n\n### References\n- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",

0 commit comments

Comments
 (0)