Prometheus Exporter Toolkit vulnerable to basic authentication bypass
CVE-2022-46146

6.2MEDIUM

Key Information:

Vendor: Prometheus
Status: Exporter-toolkit
Vendor: CVE Published:; 29 November 2022

What is CVE-2022-46146?

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Affected Version(s)

exporter-toolkit < 0.7.2 < 0.7.2

exporter-toolkit >= 0.8.0, < 0.8.2 < 0.8.0, 0.8.2

References

https://github.com/prometheus/exporter-toolkit/security/a...

https://github.com/prometheus/exporter-toolkit/commit/5b1...

http://www.openwall.com/lists/oss-security/2022/11/29/1

mailing-list

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2022
Vulnerability Reserved
Nov 28, 2022

CVE-2022-46146 Data

JSON