CVE-2022-46146

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-46146
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-11-29 14:15:00 UTC
Updated2024-01-12 12:15:00 UTC
DescriptionPrometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

Risk And Classification

Problem Types: CWE-287 | CWE-303

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Prometheus Exporter Toolkit All All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 37 Update: golang-github-xhit-str2duration-2.1.0-3.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 38 Update: golang-gopkg-alecthomas-kingpin-2-2.3.2-1.fc38 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 38 Update: golang-gopkg-alecthomas-kingpin-2-2.3.2-1.fc38 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
oss-security - Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication MLIST www.openwall.com
oss-security - CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication MLIST www.openwall.com
Basic authentication bypass · Advisory · prometheus/exporter-toolkit · GitHub CONFIRM github.com
Prometheus SNMP Exporter: Basic Authentication Bypass (GLSA 202401-15) — Gentoo security security.gentoo.org
Merge pull request from GHSA-7rg2-cxvp-9p7p · prometheus/exporter-toolkit@5b1eab3 · GitHub MISC github.com
[SECURITY] Fedora 37 Update: golang-github-xhit-str2duration-2.1.0-3.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 39 Update: golang-gopkg-alecthomas-kingpin-2-2.3.2-1.fc39 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
oss-security - Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication MLIST www.openwall.com
[SECURITY] Fedora 39 Update: golang-gopkg-alecthomas-kingpin-2-2.3.2-1.fc39 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 182705 Debian Security Update for golang-github-prometheus-exporter-toolkit (CVE-2022-46146)
  • 284531 Fedora Security Update for golang (FEDORA-2023-1b25579262)
  • 284532 Fedora Security Update for golang (FEDORA-2023-c1318fb7f8)
  • 285261 Fedora Security Update for golang (FEDORA-2023-cf176d02d8)
  • 502916 Alpine Linux Security Update for prometheus-node-exporter
  • 502917 Alpine Linux Security Update for prometheus
  • 503220 Alpine Linux Security Update for prometheus
  • 505797 Alpine Linux Security Update for prometheus-node-exporter
  • 506168 Alpine Linux Security Update for prometheus
  • 691042 Free Berkeley Software Distribution (FreeBSD) Security Update for prometheus2 (791a09c5-a086-11ed-954d-b42e991fc52e)
  • 691047 Free Berkeley Software Distribution (FreeBSD) Security Update for node_exporter (d835c54f-a4bd-11ed-b6af-b42e991fc52e)
  • 710833 Gentoo Linux Prometheus Simple Network Management Protocol (SNMP) Exporter Basic Authentication Bypass Vulnerability (GLSA 202401-15)
  • 753721 SUSE Enterprise Linux Security Update for prometheus-ha_cluster_exporter (SUSE-SU-2023:0465-1)
  • 753725 SUSE Enterprise Linux Security Update for prometheus-ha_cluster_exporter (SUSE-SU-2023:0460-1)
  • 753728 SUSE Enterprise Linux Security Update for prometheus-ha_cluster_exporter (SUSE-SU-2023:0467-1)
  • 753815 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:0812-1)
  • 753994 SUSE Enterprise Linux Security Update for Prometheus Golang clients (SUSE-SU-2023:2187-1)
  • 753995 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:2183-1)
  • 754116 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:2578-1)
  • 754205 SUSE Enterprise Linux Security Update for prometheus-ha_cluster_exporter (SUSE-SU-2023:0467-1)
  • 754978 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:3868-1)
  • 754979 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2023:3867-1)
  • 755844 SUSE Enterprise Linux Security Update for suse manager server 4.2 (SUSE-SU-2023:2594-1)
  • 755846 SUSE Enterprise Linux Security Update for golang-github-prometheus-prometheus (SUSE-SU-2023:2598-1)
  • 755883 SUSE Enterprise Linux Security Update for suse manager 4.3: server (SUSE-SU-2023:2181-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report