CVE-2022-46146

Name
CVE-2022-46146
Description
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
MISC https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
MLIST http://www.openwall.com/lists/oss-security/2022/11/29/1
MLIST http://www.openwall.com/lists/oss-security/2022/11/29/2
MLIST http://www.openwall.com/lists/oss-security/2022/11/29/4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
security-advisories@github.com https://security.gentoo.org/glsa/202401-15

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:* exporter_toolkit >= 0.8.0 < 0.8.2
cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:* exporter_toolkit >= None < 0.7.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status