CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.2 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
Affected Products (NVD)
VendorProductVersion
prometheusexporter_toolkit
𝑥
< 0.7.2
prometheusexporter_toolkit
0.8.0 ≤
𝑥
< 0.8.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-prometheus-exporter-toolkit
bookworm
0.8.2-2
fixed
bullseye
0.5.1-2+deb11u2
fixed
sid
0.13.1-1
fixed
trixie
0.13.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-prometheus-exporter-toolkit
bionic
dne
focal
dne
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
ignored
prometheus
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
bind
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-chrootenv
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-devel
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-doc
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
bind-utils
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
golang-github-prometheus-node_exporter
suse enterprise desktop 15 SP4
1.5.0-150100.3.23.2
fixed
suse enterprise desktop 15 SP5
1.5.0-150100.3.23.2
fixed
suse enterprise desktop 15 SP6
1.5.0-150100.3.23.2
fixed
suse enterprise desktop 15 SP7
1.5.0-150100.3.23.2
fixed
suse enterprise sap 15 SP1
1.5.0-150100.3.23.2
fixed
suse enterprise sap 15 SP2
1.5.0-150100.3.23.2
fixed
suse enterprise sap 15 SP4
1.5.0-150100.3.23.2
fixed
suse enterprise sap 15 SP5
1.5.0-150100.3.23.2
fixed
suse enterprise sap 15 SP6
1.5.0-150100.3.23.2
fixed
suse enterprise sap 15 SP7
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP1
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP2
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP3
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP4
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP5
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP6
1.5.0-150100.3.23.2
fixed
suse enterprise server 15 SP7
1.5.0-150100.3.23.2
fixed
libbind9-1600
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libdns1605
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libirs-devel
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libirs1601
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libisc1606
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libisccc1600
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libisccfg1600
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
libns1604
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
python3-bind
suse enterprise sap 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise sap 15 SP2
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP1
9.16.6-150000.12.65.1
fixed
suse enterprise server 15 SP2
9.16.6-150000.12.65.1
fixed
supportutils-plugin-salt
suse enterprise desktop 15 SP4
1.2.2-150000.3.13.1
fixed
suse enterprise desktop 15 SP5
1.2.2-150000.3.13.1
fixed
suse enterprise desktop 15 SP6
1.2.2-150000.3.13.1
fixed
suse enterprise desktop 15 SP7
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP1
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP2
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP4
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP5
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP6
1.2.2-150000.3.13.1
fixed
suse enterprise sap 15 SP7
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP1
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP2
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP3
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP4
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP5
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP6
1.2.2-150000.3.13.1
fixed
suse enterprise server 15 SP7
1.2.2-150000.3.13.1
fixed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2022/11/29/1
http://www.openwall.com/lists/oss-security/2022/11/29/2
http://www.openwall.com/lists/oss-security/2022/11/29/4
https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
https://security.gentoo.org/glsa/202401-15
http://www.openwall.com/lists/oss-security/2022/11/29/1
http://www.openwall.com/lists/oss-security/2022/11/29/2
http://www.openwall.com/lists/oss-security/2022/11/29/4
https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
https://security.gentoo.org/glsa/202401-15