From 3b1da1aa740a94d37e76a42562d812095e642911 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov <19779+xnox@users.noreply.github.com> Date: Tue, 3 Mar 2026 16:49:03 +0000 Subject: [PATCH] Improve GHSA-9h8m-3fm2-qjrq --- .../2026/02/GHSA-9h8m-3fm2-qjrq/GHSA-9h8m-3fm2-qjrq.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-9h8m-3fm2-qjrq/GHSA-9h8m-3fm2-qjrq.json b/advisories/github-reviewed/2026/02/GHSA-9h8m-3fm2-qjrq/GHSA-9h8m-3fm2-qjrq.json index 988b752189a86..f5fba06a5b5ea 100644 --- a/advisories/github-reviewed/2026/02/GHSA-9h8m-3fm2-qjrq/GHSA-9h8m-3fm2-qjrq.json +++ b/advisories/github-reviewed/2026/02/GHSA-9h8m-3fm2-qjrq/GHSA-9h8m-3fm2-qjrq.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-9h8m-3fm2-qjrq", - "modified": "2026-02-27T21:39:46Z", + "modified": "2026-02-27T21:39:49Z", "published": "2026-02-02T20:07:46Z", "aliases": [ "CVE-2026-24051" ], - "summary": "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking", - "details": "### Impact\nThe OpenTelemetry Go SDK in version `v1.20.0`-`1.39.0` is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in `sdk/resource/host_id.go` executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.\n\n### Patches\nThis has been patched in [d45961b](https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53), which was released with `v1.40.0`.\n\n### References\n- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)", + "summary": "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking on macOS (Darwin) only", + "details": "### Impact\nThe OpenTelemetry Go SDK in version `v1.20.0`-`1.39.0` is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in `sdk/resource/host_id.go` executes the `ioreg` system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.\n\nOn macOS (Darwin) only\n\n### Patches\nThis has been patched in [d45961b](https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53), which was released with `v1.40.0`.\n\n### References\n- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)", "severity": [ { "type": "CVSS_V3",