883639 – (CVE-2022-46146) [Tracker] Prometheus basic authentication bypass via exporter-toolkit

Bug 883639 (CVE-2022-46146) - [Tracker] Prometheus basic authentication bypass via exporter-toolkit

Summary: [Tracker] Prometheus basic authentication bypass via exporter-toolkit

Status:	CONFIRMED

Alias:	CVE-2022-46146

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/prometheus/exporte...
Whiteboard:
Keywords:

Depends on:	883637 883651 883653 890162 883647 883649
Blocks:
	Show dependency tree

Reported:	2022-11-29 18:26 UTC by John Helmert III
Modified:	2023-01-07 23:32 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-11-29 18:26:04 UTC

CVE-2022-46146:

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, i someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Patch: https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
oss-security discussion: http://www.openwall.com/lists/oss-security/2022/11/29/1