CVE-2022-46146
Description
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2022-46146 NameCVE-2022-46146 DescriptionPrometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker mustβ¦
Workaround
, but attacker must have access to the hashed password to use this functionality. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Debian Bugs1025127 Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus golang-github-prometheus-exporter-toolkit (PTS)bullseye0.5.1-2+deb11u2fixed bookworm0.8.2-2fixed trixie0.14.0-1fixed forky, sid0.16.0-1fixed The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs golang-github-prometheus-exporter-toolkitsourcebullseye0.5.1-2+deb11u2 golang-github-prometheus-exporter-toolkitsource(unstable)0.8.2-11025127 Notes https://www.openwall.com/lists/oss-security/2022/11/29/1 https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 (v0.8.2)
CVE-2022-46146
| Name | CVE-2022-46146 |
| Description | Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1025127 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-github-prometheus-exporter-toolkit (PTS) | bullseye | 0.5.1-2+deb11u2 | fixed |
| bookworm | 0.8.2-2 | fixed | |
| trixie | 0.14.0-1 | fixed | |
| forky, sid | 0.16.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-github-prometheus-exporter-toolkit | source | bullseye | 0.5.1-2+deb11u2 | |||
| golang-github-prometheus-exporter-toolkit | source | (unstable) | 0.8.2-1 | 1025127 |
Notes
https://www.openwall.com/lists/oss-security/2022/11/29/1
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 (v0.8.2)
Apply commands
https://www.openwall.com/lists/oss-security/2022/11/29/1https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7phttps://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 (v0.8.2)OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0.8.2-1 |
| debian | bullseye | fixed | 0.5.1-2+deb11u2 |
| debian | forky | fixed | 0.8.2-1 |
| debian | sid | fixed | 0.8.2-1 |
| debian | trixie | fixed | 0.8.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/prometheus/exporter-toolkit | <0.7.2 | 0.7.2 |
| Go | github.com/prometheus/exporter-toolkit | >=0.8.0,<0.8.2 | 0.8.2 |
References
- https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
- https://nvd.nist.gov/vuln/detail/CVE-2022-46146
- https://github.com/prometheus/exporter-toolkit/commit/25288779bc59d00c41b4a1706c6b87f0561ef2d7
- https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
- https://github.com/prometheus/exporter-toolkit
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y
- https://security.gentoo.org/glsa/202401-15
- http://www.openwall.com/lists/oss-security/2022/11/29/1
- http://www.openwall.com/lists/oss-security/2022/11/29/2
- http://www.openwall.com/lists/oss-security/2022/11/29/4
- https://www.suse.com/security/cve/CVE-2022-46146.html
- https://security-tracker.debian.org/tracker/CVE-2022-46146
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.