From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: AWS Firehose Receiver Authentication Bypass Vulnerability 2. Severity: Moderate (5.3 / 10) 3. Affected Version Range: >= 0.49.0, < 0.108.0 4. Fixed Version: 0.108.0 5. Description: - The OpenTelemetry Collector module allows unauthorized remote requests, even when configured to require a key. - OpenTelemetry Collector can be configured to receive CloudWatch metrics via AWS Firehose Stream. Firehose sets the header to any configured string. - When configured to require a key, the module still accepts unencrypted requests. 6. Impact: - Only users of OpenTelemetry Collector who use the module are affected. - Unauthorized users may write metrics. Carefully crafted metrics could obscure other malicious activities. - These endpoints may be exposed to the public internet, as Firehose does not support private HTTP endpoints. 7. Fix: - The fix was introduced in #34847 and released in version 0.108.0. 8. CPE ID: CPE: cpe:2.3:a:open-telemetry:opentelemetry-collector-contrib:0.49.0-0.108.0 9. CVSS Score: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 10. Reporter: DouglasHeriot 11. Fix Reviewer: Aneurysm9 12. Coordinator: arminru