{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-46146","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2024-08-03T14:24:03.295Z","dateReserved":"2022-11-28T00:00:00.000Z","datePublished":"2022-11-29T00:00:00.000Z"},"containers":{"cna":{"title":"Prometheus Exporter Toolkit vulnerable to basic authentication bypass","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-01-12T12:06:19.456Z"},"descriptions":[{"lang":"en","value":"Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."}],"affected":[{"vendor":"prometheus","product":"exporter-toolkit","versions":[{"version":"< 0.7.2","status":"affected"},{"version":">= 0.8.0, < 0.8.2","status":"affected"}]}],"references":[{"url":"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"},{"url":"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"},{"name":"[oss-security] 20221129 CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/29/1"},{"name":"[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/29/2"},{"name":"[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication","tags":["mailing-list"],"url":"http://www.openwall.com/lists/oss-security/2022/11/29/4"},{"name":"FEDORA-2023-cf176d02d8","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"},{"name":"FEDORA-2023-1b25579262","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"},{"name":"FEDORA-2023-c1318fb7f8","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"},{"name":"GLSA-202401-15","tags":["vendor-advisory"],"url":"https://security.gentoo.org/glsa/202401-15"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.2,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-303: Incorrect Implementation of Authentication Algorithm","cweId":"CWE-303"}]},{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-287: Improper Authentication","cweId":"CWE-287"}]}],"source":{"advisory":"GHSA-7rg2-cxvp-9p7p","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T14:24:03.295Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p","tags":["x_transferred"]},{"url":"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5","tags":["x_transferred"]},{"name":"[oss-security] 20221129 CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/29/1"},{"name":"[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/29/2"},{"name":"[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication","tags":["mailing-list","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2022/11/29/4"},{"name":"FEDORA-2023-cf176d02d8","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"},{"name":"FEDORA-2023-1b25579262","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"},{"name":"FEDORA-2023-c1318fb7f8","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"},{"name":"GLSA-202401-15","tags":["vendor-advisory","x_transferred"],"url":"https://security.gentoo.org/glsa/202401-15"}]}]}}