Vulnerability-Lookup

CVE-2022-46146 (GCVE-0-2022-46146)

Vulnerability from cvelistv5 – Published: 2022-11-29 00:00 – Updated: 2024-08-03 14:24

Title

Prometheus Exporter Toolkit vulnerable to basic authentication bypass

Summary

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Severity

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-303 - Incorrect Implementation of Authentication Algorithm
CWE-287 - Improper Authentication

Assigner

GitHub_M

References

9 references

URL	Tags
https://github.com/prometheus/exporter-toolkit/se…
https://github.com/prometheus/exporter-toolkit/co…
http://www.openwall.com/lists/oss-security/2022/11/29/1	mailing-list
http://www.openwall.com/lists/oss-security/2022/11/29/2	mailing-list
http://www.openwall.com/lists/oss-security/2022/11/29/4	mailing-list
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.gentoo.org/glsa/202401-15	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
prometheus	exporter-toolkit	Affected: < 0.7.2 Affected: >= 0.8.0, < 0.8.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.295Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
          },
          {
            "name": "[oss-security] 20221129 CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
          },
          {
            "name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
          },
          {
            "name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
          },
          {
            "name": "FEDORA-2023-cf176d02d8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
          },
          {
            "name": "FEDORA-2023-1b25579262",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
          },
          {
            "name": "FEDORA-2023-c1318fb7f8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
          },
          {
            "name": "GLSA-202401-15",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-15"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "exporter-toolkit",
          "vendor": "prometheus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.7.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.8.0, \u003c 0.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-12T12:06:19.456Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
        },
        {
          "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
        },
        {
          "name": "[oss-security] 20221129 CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
        },
        {
          "name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
        },
        {
          "name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
        },
        {
          "name": "FEDORA-2023-cf176d02d8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
        },
        {
          "name": "FEDORA-2023-1b25579262",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
        },
        {
          "name": "FEDORA-2023-c1318fb7f8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
        },
        {
          "name": "GLSA-202401-15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-15"
        }
      ],
      "source": {
        "advisory": "GHSA-7rg2-cxvp-9p7p",
        "discovery": "UNKNOWN"
      },
      "title": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-46146",
    "datePublished": "2022-11-29T00:00:00.000Z",
    "dateReserved": "2022-11-28T00:00:00.000Z",
    "dateUpdated": "2024-08-03T14:24:03.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-46146",
      "date": "2026-05-25",
      "epss": "0.00185",
      "percentile": "0.39795"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.7.2\", \"matchCriteriaId\": \"715C0429-EE84-443F-B5F2-D2D3F6CE74AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.8.0\", \"versionEndExcluding\": \"0.8.2\", \"matchCriteriaId\": \"A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.\"}, {\"lang\": \"es\", \"value\": \"Un usuario pod\\u00eda eliminar un perfil VPN del cliente m\\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\\u00f3n lock-warp-switch est\\u00e1 habilitada en Zero Trust Platform. Esto llev\\u00f3 a eludir las pol\\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust.\"}]",
      "id": "CVE-2022-46146",
      "lastModified": "2024-11-21T07:30:11.987",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.2, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2022-11-29T14:15:13.283",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.gentoo.org/glsa/202401-15\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202401-15\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}, {\"lang\": \"en\", \"value\": \"CWE-303\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-46146\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-29T14:15:13.283\",\"lastModified\":\"2024-11-21T07:30:11.987\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.\"},{\"lang\":\"es\",\"value\":\"Un usuario pod\u00eda eliminar un perfil VPN del cliente m\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\u00f3n lock-warp-switch est\u00e1 habilitada en Zero Trust Platform. Esto llev\u00f3 a eludir las pol\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-303\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.7.2\",\"matchCriteriaId\":\"715C0429-EE84-443F-B5F2-D2D3F6CE74AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.8.0\",\"versionEndExcluding\":\"0.8.2\",\"matchCriteriaId\":\"A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202401-15\",\"source\":\"security-advisories@github.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202401-15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

BDU:2023-02338

Vulnerability from fstec - Published: 28.11.2022

Title

Уязвимость реализации алгоритма хеширования bcrypt библиотеки для экспорта файлов системы Prometheus Exporter Toolkit, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Description

Уязвимость реализации алгоритма хеширования bcrypt библиотеки для экспорта файлов системы Prometheus Exporter Toolkit связана с обходом аутентификации при обработке файла web.yml. Эксплуатация уязвимости может позволить нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

Severity


                    
                      AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor

Novell Inc., Red Hat Inc., Сообщество свободного программного обеспечения

Software Name

SUSE Linux Enterprise Server for SAP Applications, openSUSE Tumbleweed, SUSE CaaS Platform, Suse Linux Enterprise Server, SUSE Linux Enterprise High Performance Computing, OpenSUSE Leap, SUSE Manager Proxy, SUSE Manager Server, SUSE Enterprise Storage, Red Hat OpenShift Container Platform, Suse Linux Enterprise Desktop, SUSE Manager Retail Branch Server, Red Hat Enterprise Linux, SUSE Manager Tools, SUSE Linux Enterprise Module for Basesystem, SUSE Linux Enterprise Real Time, SUSE Linux Enterprise Module for Package Hub, SUSE Linux Enterprise Module for SAP Applications, Exporter Toolkit

Software Version

12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), - (openSUSE Tumbleweed), 4.0 (SUSE CaaS Platform), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing), 15.4 (OpenSUSE Leap), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP4 (Suse Linux Enterprise Server), 4 (Red Hat OpenShift Container Platform), 15 SP4 (Suse Linux Enterprise Desktop), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 12 (SUSE Manager Tools), 7.1 (SUSE Enterprise Storage), 15 SP4 (SUSE Linux Enterprise Module for Basesystem), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Real Time), 15 SP4 (SUSE Linux Enterprise Module for Package Hub), 15 SP1 (SUSE Linux Enterprise Module for SAP Applications), 15 SP2 (SUSE Linux Enterprise Module for SAP Applications), 15 SP3 (SUSE Linux Enterprise Module for SAP Applications), 15 SP4 (SUSE Linux Enterprise Module for SAP Applications), до 0.7.2 (Exporter Toolkit), от 0.8.0 до 0.8.2 (Exporter Toolkit), 15 (SUSE Manager Tools)

Possible Mitigations

Использование рекомендаций: Для Prometheus Exporter Toolkit: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 Для продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2022-46146 Для продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2022-46146.htm

Reference

http://www.openwall.com/lists/oss-security/2022/11/29/1 http://www.openwall.com/lists/oss-security/2022/11/29/2 http://www.openwall.com/lists/oss-security/2022/11/29/4 https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p https://www.suse.com/security/cve/CVE-2022-46146.html https://vuldb.com/ru/?id.214520

CWE

CWE-287, CWE-303, CWE-305

JSON

To clipboard

{
  "CVSS 2.0": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
  "CVSS 3.0": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc., Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), - (openSUSE Tumbleweed), 4.0 (SUSE CaaS Platform), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing), 15.4 (OpenSUSE Leap), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP4 (Suse Linux Enterprise Server), 4 (Red Hat OpenShift Container Platform), 15 SP4 (Suse Linux Enterprise Desktop), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 12 (SUSE Manager Tools), 7.1 (SUSE Enterprise Storage), 15 SP4 (SUSE Linux Enterprise Module for Basesystem), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Real Time), 15 SP4 (SUSE Linux Enterprise Module for Package Hub), 15 SP1 (SUSE Linux Enterprise Module for SAP Applications), 15 SP2 (SUSE Linux Enterprise Module for SAP Applications), 15 SP3 (SUSE Linux Enterprise Module for SAP Applications), 15 SP4 (SUSE Linux Enterprise Module for SAP Applications), \u0434\u043e 0.7.2 (Exporter Toolkit), \u043e\u0442 0.8.0 \u0434\u043e 0.8.2 (Exporter Toolkit), 15 (SUSE Manager Tools)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Prometheus Exporter Toolkit:\nhttps://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2022-46146\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2022-46146.htm",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "28.11.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "04.05.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.05.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-02338",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-46146",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SUSE Linux Enterprise Server for SAP Applications, openSUSE Tumbleweed, SUSE CaaS Platform, Suse Linux Enterprise Server, SUSE Linux Enterprise High Performance Computing, OpenSUSE Leap, SUSE Manager Proxy, SUSE Manager Server, SUSE Enterprise Storage, Red Hat OpenShift Container Platform, Suse Linux Enterprise Desktop, SUSE Manager Retail Branch Server, Red Hat Enterprise Linux, SUSE Manager Tools, SUSE Linux Enterprise Module for Basesystem, SUSE Linux Enterprise Real Time, SUSE Linux Enterprise Module for Package Hub, SUSE Linux Enterprise Module for SAP Applications, Exporter Toolkit",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 , Novell Inc. openSUSE Tumbleweed - , Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS , Novell Inc. OpenSUSE Leap 15.4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. Suse Linux Enterprise Desktop 15 SP4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Red Hat Inc. Red Hat Enterprise Linux 9 , Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS , Novell Inc. SUSE Linux Enterprise Real Time 15 SP3 , Novell Inc. SUSE Linux Enterprise Module for Package Hub 15 SP4 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 \u0445\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f bcrypt \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u044d\u043a\u0441\u043f\u043e\u0440\u0442\u0430 \u0444\u0430\u0439\u043b\u043e\u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Prometheus Exporter Toolkit, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f (CWE-287), \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 (CWE-303), \u041e\u0431\u0445\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432 \u0441\u0438\u043b\u0443 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u0438 (CWE-305)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 \u0445\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f bcrypt \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u044d\u043a\u0441\u043f\u043e\u0440\u0442\u0430 \u0444\u0430\u0439\u043b\u043e\u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Prometheus Exporter Toolkit \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0444\u0430\u0439\u043b\u0430 web.yml. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://www.openwall.com/lists/oss-security/2022/11/29/1 \nhttp://www.openwall.com/lists/oss-security/2022/11/29/2 \nhttp://www.openwall.com/lists/oss-security/2022/11/29/4 \nhttps://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 \nhttps://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\nhttps://www.suse.com/security/cve/CVE-2022-46146.html\nhttps://vuldb.com/ru/?id.214520",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-287, CWE-303, CWE-305",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,9)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,2)"
}

CNVD-2022-84554

Vulnerability from cnvd - Published: 2022-12-05

Title

prometheus exporter_toolkit存在未明漏洞

Description

Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。 Prometheus Exporter Toolkit 0.7.2及0.8.2之前版本存在未明漏洞，攻击者可利用漏洞伪造请求，以破坏用于缓存哈希计算的内部缓存方式，绕过安全性使用此功能。

Severity

中

Patch Name

prometheus exporter_toolkit存在未明漏洞的补丁

Patch Description

Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。 Prometheus公司下的Prometheus Exporter Toolkit在0.7.2和0.82之前版本存在安全漏洞。攻击者可利用漏洞伪造请求，以破坏用于缓存哈希计算的内部缓存方式，绕过安全性使用此功能。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/prometheus/exportertoolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5

Reference

https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p

Impacted products

Name
['Prometheus exporter_toolkit <0.7.2', 'Prometheus exporter_toolkit <0.8.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-46146",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-46146"
    }
  },
  "description": "Prometheus\u662f\u4e00\u6b3e\u4f7f\u7528Go\u8bed\u8a00\u7f16\u5199\u7684\u3001\u7528\u4e8e\u8bb0\u5f55\u4f7f\u7528HTTP\u62c9\u6a21\u578b\u6784\u5efa\u7684\u65f6\u95f4\u5e8f\u5217\u6570\u636e\u5e93\u4e2d\u5b9e\u65f6\u6307\u6807\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\n\nPrometheus Exporter Toolkit 0.7.2\u53ca0.8.2\u4e4b\u524d\u7248\u672c\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4f2a\u9020\u8bf7\u6c42\uff0c\u4ee5\u7834\u574f\u7528\u4e8e\u7f13\u5b58\u54c8\u5e0c\u8ba1\u7b97\u7684\u5185\u90e8\u7f13\u5b58\u65b9\u5f0f\uff0c\u7ed5\u8fc7\u5b89\u5168\u6027\u4f7f\u7528\u6b64\u529f\u80fd\u3002",
  "discovererName": "Lei Wan",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/prometheus/exportertoolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-84554",
  "openTime": "2022-12-05",
  "patchDescription": "Prometheus\u662f\u4e00\u6b3e\u4f7f\u7528Go\u8bed\u8a00\u7f16\u5199\u7684\u3001\u7528\u4e8e\u8bb0\u5f55\u4f7f\u7528HTTP\u62c9\u6a21\u578b\u6784\u5efa\u7684\u65f6\u95f4\u5e8f\u5217\u6570\u636e\u5e93\u4e2d\u5b9e\u65f6\u6307\u6807\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\r\n\r\nPrometheus\u516c\u53f8\u4e0b\u7684Prometheus Exporter Toolkit\u57280.7.2\u548c0.82\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4f2a\u9020\u8bf7\u6c42\uff0c\u4ee5\u7834\u574f\u7528\u4e8e\u7f13\u5b58\u54c8\u5e0c\u8ba1\u7b97\u7684\u5185\u90e8\u7f13\u5b58\u65b9\u5f0f\uff0c\u7ed5\u8fc7\u5b89\u5168\u6027\u4f7f\u7528\u6b64\u529f\u80fd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "prometheus exporter_toolkit\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Prometheus exporter_toolkit \u003c0.7.2",
      "Prometheus exporter_toolkit \u003c0.8.2"
    ]
  },
  "referenceLink": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p",
  "serverity": "\u4e2d",
  "submitTime": "2022-12-01",
  "title": "prometheus exporter_toolkit\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

FKIE_CVE-2022-46146

Vulnerability from fkie_nvd - Published: 2022-11-29 14:15 - Updated: 2024-11-21 07:30

Severity

6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	http://www.openwall.com/lists/oss-security/2022/11/29/1	Exploit, Mailing List, Third Party Advisory
security-advisories@github.com	http://www.openwall.com/lists/oss-security/2022/11/29/2	Exploit, Mailing List, Patch, Third Party Advisory
security-advisories@github.com	http://www.openwall.com/lists/oss-security/2022/11/29/4	Exploit, Mailing List, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p	Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
security-advisories@github.com	https://security.gentoo.org/glsa/202401-15
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/11/29/1	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/11/29/2	Exploit, Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/11/29/4	Exploit, Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202401-15

Impacted products

	Vendor	Product	Version
	prometheus	exporter_toolkit	*
	prometheus	exporter_toolkit	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "715C0429-EE84-443F-B5F2-D2D3F6CE74AD",
              "versionEndExcluding": "0.7.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0",
              "versionEndExcluding": "0.8.2",
              "versionStartIncluding": "0.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
    },
    {
      "lang": "es",
      "value": "Un usuario pod\u00eda eliminar un perfil VPN del cliente m\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\u00f3n lock-warp-switch est\u00e1 habilitada en Zero Trust Platform. Esto llev\u00f3 a eludir las pol\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust."
    }
  ],
  "id": "CVE-2022-46146",
  "lastModified": "2024-11-21T07:30:11.987",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-29T14:15:13.283",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://security.gentoo.org/glsa/202401-15"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.gentoo.org/glsa/202401-15"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        },
        {
          "lang": "en",
          "value": "CWE-303"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-7RG2-CXVP-9P7P

Vulnerability from github – Published: 2022-12-02 22:25 – Updated: 2022-12-02 22:25

Summary

Prometheus Exporter-Toolkit is vulnerable to authentication bypass

Details

Impact

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.

Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.

However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.

A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

Patches

The exporter-toolkit v0.7.3 and v0.8.2 have been released to address this issue.

Workarounds

There is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.

Credit

We want to thank Lei Wan reporting this security issue.

Severity

6.2 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/prometheus/exporter-toolkit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/prometheus/exporter-toolkit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-02T22:25:46Z",
    "nvd_published_at": "2022-11-29T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nPrometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.\n\nPasswords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.\n\nHowever, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.\n\nA request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.\n\n### Patches\n\nThe exporter-toolkit v0.7.3 and v0.8.2 have been released to address this issue.\n\n### Workarounds\n\nThere is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.\n\n### Credit\n\nWe want to thank Lei Wan reporting this security issue.\n",
  "id": "GHSA-7rg2-cxvp-9p7p",
  "modified": "2022-12-02T22:25:46Z",
  "published": "2022-12-02T22:25:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prometheus/exporter-toolkit/commit/25288779bc59d00c41b4a1706c6b87f0561ef2d7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/prometheus/exporter-toolkit"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-15"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prometheus Exporter-Toolkit is vulnerable to authentication bypass"
}

GSD-2022-46146

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-46146

Aliases

CVE-2022-46146

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-46146",
    "id": "GSD-2022-46146",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-46146.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-46146"
      ],
      "details": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
      "id": "GSD-2022-46146",
      "modified": "2023-12-13T01:19:37.656654Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-46146",
        "STATE": "PUBLIC",
        "TITLE": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "exporter-toolkit",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.7.2"
                        },
                        {
                          "version_value": "\u003e= 0.8.0, \u003c 0.8.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "prometheus"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-303: Incorrect Implementation of Authentication Algorithm"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287: Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p",
            "refsource": "CONFIRM",
            "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
          },
          {
            "name": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5",
            "refsource": "MISC",
            "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
          },
          {
            "name": "[oss-security] 20221129 CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
          },
          {
            "name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
          },
          {
            "name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
          },
          {
            "name": "FEDORA-2023-cf176d02d8",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
          },
          {
            "name": "FEDORA-2023-1b25579262",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
          },
          {
            "name": "FEDORA-2023-c1318fb7f8",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
          },
          {
            "name": "GLSA-202401-15",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202401-15"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-7rg2-cxvp-9p7p",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv0.7.2 || \u003e=v0.8.0 \u003cv0.8.2",
          "affected_versions": "All versions before 0.7.2, all versions starting from 0.8.0 before 0.8.2",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-02-01",
          "description": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
          "fixed_versions": [
            "v0.7.2",
            "v0.8.2"
          ],
          "identifier": "CVE-2022-46146",
          "identifiers": [
            "CVE-2022-46146",
            "GHSA-7rg2-cxvp-9p7p"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/prometheus/exporter-toolkit",
          "pubdate": "2022-11-29",
          "solution": "Upgrade to versions 0.7.2, 0.8.2 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-46146",
            "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p",
            "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5",
            "http://www.openwall.com/lists/oss-security/2022/11/29/1",
            "http://www.openwall.com/lists/oss-security/2022/11/29/2",
            "http://www.openwall.com/lists/oss-security/2022/11/29/4"
          ],
          "uuid": "780d3265-250f-40b6-bd8e-3877dc4d58a7",
          "versions": [
            {
              "commit": {
                "sha": "4b760faf1dd6f471488602abfc495d117873c6ca",
                "tags": [
                  "v0.8.0"
                ],
                "timestamp": "20221019072355"
              },
              "number": "v0.8.0"
            },
            {
              "commit": {
                "sha": "c9c27502906e3dc6e9dc4edce795b779aaf1f7e0",
                "tags": [
                  "v0.8.2"
                ],
                "timestamp": "20221129092249"
              },
              "number": "v0.8.2"
            },
            {
              "commit": {
                "sha": "4d4a645bb2c37d9f53297a12f7fdae0809312b91",
                "tags": [
                  "v0.7.2"
                ],
                "timestamp": "20221129092249"
              },
              "number": "v0.7.2"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "715C0429-EE84-443F-B5F2-D2D3F6CE74AD",
                    "versionEndExcluding": "0.7.2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0",
                    "versionEndExcluding": "0.8.2",
                    "versionStartIncluding": "0.8.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
          },
          {
            "lang": "es",
            "value": "Un usuario pod\u00eda eliminar un perfil VPN del cliente m\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\u00f3n lock-warp-switch est\u00e1 habilitada en Zero Trust Platform. Esto llev\u00f3 a eludir las pol\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust."
          }
        ],
        "id": "CVE-2022-46146",
        "lastModified": "2024-01-12T12:15:45.110",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.5,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2022-11-29T14:15:13.283",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Mailing List",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Mailing List",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://security.gentoo.org/glsa/202401-15"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-287"
              },
              {
                "lang": "en",
                "value": "CWE-303"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

MSRC_CVE-2022-46146

Vulnerability from csaf_microsoft - Published: 2022-11-02 00:00 - Updated: 2026-02-18 01:55

Summary

Prometheus Exporter Toolkit vulnerable to basic authentication bypass

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2022-46146

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-303 - Incorrect Implementation of Authentication Algorithm

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 18829-17084		—
Unresolved product id: 20089-17084		—

Known affected 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 17084-2		—	Vendor Fix fix
Unresolved product id: 17084-1		—	Vendor Fix fix

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2022/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2022/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-46146.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass",
    "tracking": {
      "current_release_date": "2026-02-18T01:55:34.000Z",
      "generator": {
        "date": "2026-02-18T11:52:17.130Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-46146",
      "initial_release_date": "2022-11-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-09-11T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2026-02-18T01:55:34.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 prometheus-process-exporter 0.8.2-1",
                "product": {
                  "name": "\u003cazl3 prometheus-process-exporter 0.8.2-1",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 prometheus-process-exporter 0.8.2-1",
                "product": {
                  "name": "azl3 prometheus-process-exporter 0.8.2-1",
                  "product_id": "18829"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 prometheus-process-exporter 0.7.10-15",
                "product": {
                  "name": "\u003cazl3 prometheus-process-exporter 0.7.10-15",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 prometheus-process-exporter 0.7.10-15",
                "product": {
                  "name": "azl3 prometheus-process-exporter 0.7.10-15",
                  "product_id": "20089"
                }
              }
            ],
            "category": "product_name",
            "name": "prometheus-process-exporter"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 prometheus-process-exporter 0.8.2-1 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 prometheus-process-exporter 0.8.2-1 as a component of Azure Linux 3.0",
          "product_id": "18829-17084"
        },
        "product_reference": "18829",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 prometheus-process-exporter 0.7.10-15 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 prometheus-process-exporter 0.7.10-15 as a component of Azure Linux 3.0",
          "product_id": "20089-17084"
        },
        "product_reference": "20089",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-46146",
      "cwe": {
        "id": "CWE-303",
        "name": "Incorrect Implementation of Authentication Algorithm"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "18829-17084",
          "20089-17084"
        ],
        "known_affected": [
          "17084-2",
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-46146.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-11T00:00:00.000Z",
          "details": "0.8.2-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-2",
            "17084-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "17084-2",
            "17084-1"
          ]
        }
      ],
      "title": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass"
    }
  ]
}

OPENSUSE-SU-2024:12637-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the golang-github-prometheus-node_exporter-1.5.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12637

CVE-2022-27191

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2022-46146

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2022-27191/	self
https://www.suse.com/security/cve/CVE-2022-46146/	self
https://www.suse.com/security/cve/CVE-2022-27191	external
https://bugzilla.suse.com/1197284	external
https://www.suse.com/security/cve/CVE-2022-46146	external
https://bugzilla.suse.com/1208046	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the golang-github-prometheus-node_exporter-1.5.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12637",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12637-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-27191 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-27191/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-46146 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-46146/"
      }
    ],
    "title": "golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12637-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
                "product": {
                  "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
                  "product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
                "product": {
                  "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
                  "product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
                "product": {
                  "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
                  "product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64",
                "product": {
                  "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64",
                  "product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64"
        },
        "product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le"
        },
        "product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x"
        },
        "product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
        },
        "product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-27191",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-27191"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-27191",
          "url": "https://www.suse.com/security/cve/CVE-2022-27191"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1197284 for CVE-2022-27191",
          "url": "https://bugzilla.suse.com/1197284"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-27191"
    },
    {
      "cve": "CVE-2022-46146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-46146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
          "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-46146",
          "url": "https://www.suse.com/security/cve/CVE-2022-46146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208046 for CVE-2022-46146",
          "url": "https://bugzilla.suse.com/1208046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-46146"
    }
  ]
}

OPENSUSE-SU-2024:12650-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

golang-github-prometheus-prometheus-2.41.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: golang-github-prometheus-prometheus-2.41.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the golang-github-prometheus-prometheus-2.41.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12650

CVE-2022-46146

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2022-46146/	self
https://www.suse.com/security/cve/CVE-2022-46146	external
https://bugzilla.suse.com/1208046	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "golang-github-prometheus-prometheus-2.41.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the golang-github-prometheus-prometheus-2.41.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12650",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12650-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-46146 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-46146/"
      }
    ],
    "title": "golang-github-prometheus-prometheus-2.41.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12650-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
                  "product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
                  "product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
                  "product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64",
                  "product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64"
        },
        "product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le"
        },
        "product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x"
        },
        "product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
        },
        "product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-46146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-46146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
          "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-46146",
          "url": "https://www.suse.com/security/cve/CVE-2022-46146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208046 for CVE-2022-46146",
          "url": "https://bugzilla.suse.com/1208046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
            "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-46146"
    }
  ]
}

OPENSUSE-SU-2024:12691-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media

Description of the patch: These are all security issues fixed in the prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12691

CVE-2022-46146

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64	—	Vendor Fix

Threats

Impact important

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2022-46146/	self
https://www.suse.com/security/cve/CVE-2022-46146	external
https://bugzilla.suse.com/1208046	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12691",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12691-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-46146 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-46146/"
      }
    ],
    "title": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12691-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
                "product": {
                  "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
                  "product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
                "product": {
                  "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
                  "product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
                "product": {
                  "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
                  "product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64",
                "product": {
                  "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64",
                  "product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64"
        },
        "product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le"
        },
        "product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x"
        },
        "product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
        },
        "product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-46146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-46146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
          "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
          "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
          "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-46146",
          "url": "https://www.suse.com/security/cve/CVE-2022-46146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208046 for CVE-2022-46146",
          "url": "https://bugzilla.suse.com/1208046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
            "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-46146"
    }
  ]
}

OPENSUSE-SU-2024:12700-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

grafana-8.5.20-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: grafana-8.5.20-2.1 on GA media

Description of the patch: These are all security issues fixed in the grafana-8.5.20-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12700

CVE-2022-46146

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64	—	Vendor Fix

Threats

Impact important

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2022-46146/	self
https://www.suse.com/security/cve/CVE-2022-46146	external
https://bugzilla.suse.com/1208046	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "grafana-8.5.20-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the grafana-8.5.20-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12700",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12700-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-46146 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-46146/"
      }
    ],
    "title": "grafana-8.5.20-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12700-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.5.20-2.1.aarch64",
                "product": {
                  "name": "grafana-8.5.20-2.1.aarch64",
                  "product_id": "grafana-8.5.20-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.5.20-2.1.ppc64le",
                "product": {
                  "name": "grafana-8.5.20-2.1.ppc64le",
                  "product_id": "grafana-8.5.20-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.5.20-2.1.s390x",
                "product": {
                  "name": "grafana-8.5.20-2.1.s390x",
                  "product_id": "grafana-8.5.20-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.5.20-2.1.x86_64",
                "product": {
                  "name": "grafana-8.5.20-2.1.x86_64",
                  "product_id": "grafana-8.5.20-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.5.20-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64"
        },
        "product_reference": "grafana-8.5.20-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.5.20-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le"
        },
        "product_reference": "grafana-8.5.20-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.5.20-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x"
        },
        "product_reference": "grafana-8.5.20-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.5.20-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
        },
        "product_reference": "grafana-8.5.20-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-46146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-46146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x",
          "openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-46146",
          "url": "https://www.suse.com/security/cve/CVE-2022-46146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1208046 for CVE-2022-46146",
          "url": "https://bugzilla.suse.com/1208046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x",
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x",
            "openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-46146"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-46146 (GCVE-0-2022-46146)

Impact

Patches

Workarounds

Credit

Tags

Sightings

Nomenclature