883649 – <app-metrics/snmp_exporter-0.24.1: basic authentication bypass

Bug 883649 - <app-metrics/snmp_exporter-0.24.1: basic authentication bypass

Summary: <app-metrics/snmp_exporter-0.24.1: basic authentication bypass

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/prometheus/exporte...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	920176
Blocks:	CVE-2022-46146
	Show dependency tree

Reported:	2022-11-29 19:04 UTC by John Helmert III
Modified:	2024-01-12 10:54 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-11-29 19:04:37 UTC

Details in tracker. This package bundles the vulnerable Go package, is the exporter actually vulnerable?

Comment 1 Hans de Graaff gentoo-dev

2023-10-25 13:32:38 UTC

snmp_exporter-0.21.0 in gentoo uses exporter-toolkit 0.8.1 and is vulnerable.

Please update to a newer version of snmp_exporter. snmp-exporter 0.23.0 appears to be the first version with fixed exporter-toolkit 0.8.2.

Comment 2 Larry the Git Cow gentoo-dev

2023-10-29 17:22:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3448245ff66ebd4df46bcef57da81492fcedd6df

commit 3448245ff66ebd4df46bcef57da81492fcedd6df
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-10-29 17:15:19 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-10-29 17:21:50 +0000

    app-metrics/snmp_exporter: add 0.24.1
    
    Bug: https://bugs.gentoo.org/883649
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-metrics/snmp_exporter/Manifest                 |  2 +
 .../snmp_exporter/snmp_exporter-0.24.1.ebuild      | 52 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-01-07 05:24:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b37d32ef5866c70fcf9c73329547670505bbd014

commit b37d32ef5866c70fcf9c73329547670505bbd014
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-01-07 05:23:19 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-07 05:23:19 +0000

    app-metrics/snmp_exporter: drop 0.21.0
    
    Bug: https://bugs.gentoo.org/883649
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-metrics/snmp_exporter/Manifest                 |  2 -
 .../snmp_exporter/snmp_exporter-0.21.0.ebuild      | 52 ----------------------
 2 files changed, 54 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-01-12 10:53:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e492570856b594062317bd546458906bb588293d

commit e492570856b594062317bd546458906bb588293d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-12 10:52:37 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-12 10:53:09 +0000

    [ GLSA 202401-15 ] Prometheus SNMP Exporter: Basic Authentication Bypass
    
    Bug: https://bugs.gentoo.org/883649
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-15.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)