Vulnerability Details CVE-2022-46146
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.1%
CVSS Severity
CVSS v3 Score 6.2
References
- http://www.openwall.com/lists/oss-security/2022/11/29/1
- http://www.openwall.com/lists/oss-security/2022/11/29/2
- http://www.openwall.com/lists/oss-security/2022/11/29/4
- https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
- https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
- https://security.gentoo.org/glsa/202401-15
- http://www.openwall.com/lists/oss-security/2022/11/29/1
- http://www.openwall.com/lists/oss-security/2022/11/29/2
- http://www.openwall.com/lists/oss-security/2022/11/29/4
- https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
- https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
- https://security.gentoo.org/glsa/202401-15
Products affected by CVE-2022-46146
-
cpe:2.3:a:prometheus:exporter_toolkit:*