Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-46146 (GCVE-0-2022-46146)
Vulnerability from cvelistv5 – Published: 2022-11-29 00:00 – Updated: 2024-08-03 14:24
VLAI
EPSS
Title
Prometheus Exporter Toolkit vulnerable to basic authentication bypass
Summary
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Severity
6.2 (Medium)
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/exporter-toolkit/se… | |
| https://github.com/prometheus/exporter-toolkit/co… | |
| http://www.openwall.com/lists/oss-security/2022/11/29/1 | mailing-list |
| http://www.openwall.com/lists/oss-security/2022/11/29/2 | mailing-list |
| http://www.openwall.com/lists/oss-security/2022/11/29/4 | mailing-list |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://security.gentoo.org/glsa/202401-15 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | exporter-toolkit |
Affected:
< 0.7.2
Affected: >= 0.8.0, < 0.8.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"name": "[oss-security] 20221129 CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
},
{
"name": "FEDORA-2023-cf176d02d8",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
},
{
"name": "FEDORA-2023-1b25579262",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
},
{
"name": "FEDORA-2023-c1318fb7f8",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
},
{
"name": "GLSA-202401-15",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202401-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "exporter-toolkit",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 0.7.2"
},
{
"status": "affected",
"version": "\u003e= 0.8.0, \u003c 0.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T12:06:19.456Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"name": "[oss-security] 20221129 CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
},
{
"name": "FEDORA-2023-cf176d02d8",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
},
{
"name": "FEDORA-2023-1b25579262",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
},
{
"name": "FEDORA-2023-c1318fb7f8",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
},
{
"name": "GLSA-202401-15",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202401-15"
}
],
"source": {
"advisory": "GHSA-7rg2-cxvp-9p7p",
"discovery": "UNKNOWN"
},
"title": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46146",
"datePublished": "2022-11-29T00:00:00.000Z",
"dateReserved": "2022-11-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T14:24:03.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-46146",
"date": "2026-05-30",
"epss": "0.00185",
"percentile": "0.39986"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-46146\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-29T14:15:13.283\",\"lastModified\":\"2024-11-21T07:30:11.987\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.\"},{\"lang\":\"es\",\"value\":\"Un usuario pod\u00eda eliminar un perfil VPN del cliente m\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\u00f3n lock-warp-switch est\u00e1 habilitada en Zero Trust Platform. Esto llev\u00f3 a eludir las pol\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-303\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.7.2\",\"matchCriteriaId\":\"715C0429-EE84-443F-B5F2-D2D3F6CE74AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.8.0\",\"versionEndExcluding\":\"0.8.2\",\"matchCriteriaId\":\"A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202401-15\",\"source\":\"security-advisories@github.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202401-15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Title
Уязвимость реализации алгоритма хеширования bcrypt библиотеки для экспорта файлов системы Prometheus Exporter Toolkit, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации
Description
Уязвимость реализации алгоритма хеширования bcrypt библиотеки для экспорта файлов системы Prometheus Exporter Toolkit связана с обходом аутентификации при обработке файла web.yml. Эксплуатация уязвимости может позволить нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации
Severity
Vendor
Novell Inc., Red Hat Inc., Сообщество свободного программного обеспечения
Software Name
SUSE Linux Enterprise Server for SAP Applications, openSUSE Tumbleweed, SUSE CaaS Platform, Suse Linux Enterprise Server, SUSE Linux Enterprise High Performance Computing, OpenSUSE Leap, SUSE Manager Proxy, SUSE Manager Server, SUSE Enterprise Storage, Red Hat OpenShift Container Platform, Suse Linux Enterprise Desktop, SUSE Manager Retail Branch Server, Red Hat Enterprise Linux, SUSE Manager Tools, SUSE Linux Enterprise Module for Basesystem, SUSE Linux Enterprise Real Time, SUSE Linux Enterprise Module for Package Hub, SUSE Linux Enterprise Module for SAP Applications, Exporter Toolkit
Software Version
12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), - (openSUSE Tumbleweed), 4.0 (SUSE CaaS Platform), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing), 15.4 (OpenSUSE Leap), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP4 (Suse Linux Enterprise Server), 4 (Red Hat OpenShift Container Platform), 15 SP4 (Suse Linux Enterprise Desktop), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 12 (SUSE Manager Tools), 7.1 (SUSE Enterprise Storage), 15 SP4 (SUSE Linux Enterprise Module for Basesystem), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Real Time), 15 SP4 (SUSE Linux Enterprise Module for Package Hub), 15 SP1 (SUSE Linux Enterprise Module for SAP Applications), 15 SP2 (SUSE Linux Enterprise Module for SAP Applications), 15 SP3 (SUSE Linux Enterprise Module for SAP Applications), 15 SP4 (SUSE Linux Enterprise Module for SAP Applications), до 0.7.2 (Exporter Toolkit), от 0.8.0 до 0.8.2 (Exporter Toolkit), 15 (SUSE Manager Tools)
Possible Mitigations
Использование рекомендаций:
Для Prometheus Exporter Toolkit:
https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
Для продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2022-46146
Для продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-46146.htm
Reference
http://www.openwall.com/lists/oss-security/2022/11/29/1
http://www.openwall.com/lists/oss-security/2022/11/29/2
http://www.openwall.com/lists/oss-security/2022/11/29/4
https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
https://www.suse.com/security/cve/CVE-2022-46146.html
https://vuldb.com/ru/?id.214520
CWE
CWE-287, CWE-303, CWE-305
{
"CVSS 2.0": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"CVSS 3.0": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc., Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "12 SP4 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), - (openSUSE Tumbleweed), 4.0 (SUSE CaaS Platform), 15 SP1-LTSS (Suse Linux Enterprise Server), 15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing), 15.4 (OpenSUSE Leap), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP4 (Suse Linux Enterprise Server), 4 (Red Hat OpenShift Container Platform), 15 SP4 (Suse Linux Enterprise Desktop), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 9 (Red Hat Enterprise Linux), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 12 (SUSE Manager Tools), 7.1 (SUSE Enterprise Storage), 15 SP4 (SUSE Linux Enterprise Module for Basesystem), 15 SP3-LTSS (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Real Time), 15 SP4 (SUSE Linux Enterprise Module for Package Hub), 15 SP1 (SUSE Linux Enterprise Module for SAP Applications), 15 SP2 (SUSE Linux Enterprise Module for SAP Applications), 15 SP3 (SUSE Linux Enterprise Module for SAP Applications), 15 SP4 (SUSE Linux Enterprise Module for SAP Applications), \u0434\u043e 0.7.2 (Exporter Toolkit), \u043e\u0442 0.8.0 \u0434\u043e 0.8.2 (Exporter Toolkit), 15 (SUSE Manager Tools)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Prometheus Exporter Toolkit:\nhttps://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2022-46146\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2022-46146.htm",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "28.11.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "04.05.2023",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.05.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-02338",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-46146",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SUSE Linux Enterprise Server for SAP Applications, openSUSE Tumbleweed, SUSE CaaS Platform, Suse Linux Enterprise Server, SUSE Linux Enterprise High Performance Computing, OpenSUSE Leap, SUSE Manager Proxy, SUSE Manager Server, SUSE Enterprise Storage, Red Hat OpenShift Container Platform, Suse Linux Enterprise Desktop, SUSE Manager Retail Branch Server, Red Hat Enterprise Linux, SUSE Manager Tools, SUSE Linux Enterprise Module for Basesystem, SUSE Linux Enterprise Real Time, SUSE Linux Enterprise Module for Package Hub, SUSE Linux Enterprise Module for SAP Applications, Exporter Toolkit",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 , Novell Inc. openSUSE Tumbleweed - , Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS , Novell Inc. OpenSUSE Leap 15.4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. Suse Linux Enterprise Desktop 15 SP4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Red Hat Inc. Red Hat Enterprise Linux 9 , Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS , Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS , Novell Inc. SUSE Linux Enterprise Real Time 15 SP3 , Novell Inc. SUSE Linux Enterprise Module for Package Hub 15 SP4 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 \u0445\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f bcrypt \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u044d\u043a\u0441\u043f\u043e\u0440\u0442\u0430 \u0444\u0430\u0439\u043b\u043e\u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Prometheus Exporter Toolkit, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f (CWE-287), \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 (CWE-303), \u041e\u0431\u0445\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432 \u0441\u0438\u043b\u0443 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0439 \u043e\u0448\u0438\u0431\u043a\u0438 (CWE-305)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 \u0445\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f bcrypt \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u044d\u043a\u0441\u043f\u043e\u0440\u0442\u0430 \u0444\u0430\u0439\u043b\u043e\u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Prometheus Exporter Toolkit \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0444\u0430\u0439\u043b\u0430 web.yml. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://www.openwall.com/lists/oss-security/2022/11/29/1 \nhttp://www.openwall.com/lists/oss-security/2022/11/29/2 \nhttp://www.openwall.com/lists/oss-security/2022/11/29/4 \nhttps://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 \nhttps://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p\nhttps://www.suse.com/security/cve/CVE-2022-46146.html\nhttps://vuldb.com/ru/?id.214520",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-287, CWE-303, CWE-305",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,9)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,2)"
}
Title
prometheus exporter_toolkit存在未明漏洞
Description
Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。
Prometheus Exporter Toolkit 0.7.2及0.8.2之前版本存在未明漏洞,攻击者可利用漏洞伪造请求,以破坏用于缓存哈希计算的内部缓存方式,绕过安全性使用此功能。
Severity
中
Patch Name
prometheus exporter_toolkit存在未明漏洞的补丁
Patch Description
Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。
Prometheus公司下的Prometheus Exporter Toolkit在0.7.2和0.82之前版本存在安全漏洞。攻击者可利用漏洞伪造请求,以破坏用于缓存哈希计算的内部缓存方式,绕过安全性使用此功能。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/prometheus/exportertoolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5
Reference
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
Impacted products
| Name | ['Prometheus exporter_toolkit <0.7.2', 'Prometheus exporter_toolkit <0.8.2'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-46146",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-46146"
}
},
"description": "Prometheus\u662f\u4e00\u6b3e\u4f7f\u7528Go\u8bed\u8a00\u7f16\u5199\u7684\u3001\u7528\u4e8e\u8bb0\u5f55\u4f7f\u7528HTTP\u62c9\u6a21\u578b\u6784\u5efa\u7684\u65f6\u95f4\u5e8f\u5217\u6570\u636e\u5e93\u4e2d\u5b9e\u65f6\u6307\u6807\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\n\nPrometheus Exporter Toolkit 0.7.2\u53ca0.8.2\u4e4b\u524d\u7248\u672c\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4f2a\u9020\u8bf7\u6c42\uff0c\u4ee5\u7834\u574f\u7528\u4e8e\u7f13\u5b58\u54c8\u5e0c\u8ba1\u7b97\u7684\u5185\u90e8\u7f13\u5b58\u65b9\u5f0f\uff0c\u7ed5\u8fc7\u5b89\u5168\u6027\u4f7f\u7528\u6b64\u529f\u80fd\u3002",
"discovererName": "Lei Wan",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/prometheus/exportertoolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-84554",
"openTime": "2022-12-05",
"patchDescription": "Prometheus\u662f\u4e00\u6b3e\u4f7f\u7528Go\u8bed\u8a00\u7f16\u5199\u7684\u3001\u7528\u4e8e\u8bb0\u5f55\u4f7f\u7528HTTP\u62c9\u6a21\u578b\u6784\u5efa\u7684\u65f6\u95f4\u5e8f\u5217\u6570\u636e\u5e93\u4e2d\u5b9e\u65f6\u6307\u6807\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\r\n\r\nPrometheus\u516c\u53f8\u4e0b\u7684Prometheus Exporter Toolkit\u57280.7.2\u548c0.82\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4f2a\u9020\u8bf7\u6c42\uff0c\u4ee5\u7834\u574f\u7528\u4e8e\u7f13\u5b58\u54c8\u5e0c\u8ba1\u7b97\u7684\u5185\u90e8\u7f13\u5b58\u65b9\u5f0f\uff0c\u7ed5\u8fc7\u5b89\u5168\u6027\u4f7f\u7528\u6b64\u529f\u80fd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "prometheus exporter_toolkit\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Prometheus exporter_toolkit \u003c0.7.2",
"Prometheus exporter_toolkit \u003c0.8.2"
]
},
"referenceLink": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p",
"serverity": "\u4e2d",
"submitTime": "2022-12-01",
"title": "prometheus exporter_toolkit\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}
FKIE_CVE-2022-46146
Vulnerability from fkie_nvd - Published: 2022-11-29 14:15 - Updated: 2024-11-21 07:30
Severity
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | exporter_toolkit | * | |
| prometheus | exporter_toolkit | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "715C0429-EE84-443F-B5F2-D2D3F6CE74AD",
"versionEndExcluding": "0.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0",
"versionEndExcluding": "0.8.2",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
},
{
"lang": "es",
"value": "Un usuario pod\u00eda eliminar un perfil VPN del cliente m\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\u00f3n lock-warp-switch est\u00e1 habilitada en Zero Trust Platform. Esto llev\u00f3 a eludir las pol\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust."
}
],
"id": "CVE-2022-46146",
"lastModified": "2024-11-21T07:30:11.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-29T14:15:13.283",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
},
{
"source": "security-advisories@github.com",
"url": "https://security.gentoo.org/glsa/202401-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202401-15"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-7RG2-CXVP-9P7P
Vulnerability from github – Published: 2022-12-02 22:25 – Updated: 2022-12-02 22:25
VLAI
Summary
Prometheus Exporter-Toolkit is vulnerable to authentication bypass
Details
Impact
Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.
However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.
Patches
The exporter-toolkit v0.7.3 and v0.8.2 have been released to address this issue.
Workarounds
There is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.
Credit
We want to thank Lei Wan reporting this security issue.
Severity
6.2 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/prometheus/exporter-toolkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/prometheus/exporter-toolkit"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-46146"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-02T22:25:46Z",
"nvd_published_at": "2022-11-29T14:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nPrometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.\n\nPasswords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.\n\nHowever, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.\n\nA request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.\n\n### Patches\n\nThe exporter-toolkit v0.7.3 and v0.8.2 have been released to address this issue.\n\n### Workarounds\n\nThere is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.\n\n### Credit\n\nWe want to thank Lei Wan reporting this security issue.\n",
"id": "GHSA-7rg2-cxvp-9p7p",
"modified": "2022-12-02T22:25:46Z",
"published": "2022-12-02T22:25:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46146"
},
{
"type": "WEB",
"url": "https://github.com/prometheus/exporter-toolkit/commit/25288779bc59d00c41b4a1706c6b87f0561ef2d7"
},
{
"type": "WEB",
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"type": "PACKAGE",
"url": "https://github.com/prometheus/exporter-toolkit"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-15"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prometheus Exporter-Toolkit is vulnerable to authentication bypass"
}
GSD-2022-46146
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-46146",
"id": "GSD-2022-46146",
"references": [
"https://www.suse.com/security/cve/CVE-2022-46146.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-46146"
],
"details": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"id": "GSD-2022-46146",
"modified": "2023-12-13T01:19:37.656654Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-46146",
"STATE": "PUBLIC",
"TITLE": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "exporter-toolkit",
"version": {
"version_data": [
{
"version_value": "\u003c 0.7.2"
},
{
"version_value": "\u003e= 0.8.0, \u003c 0.8.2"
}
]
}
}
]
},
"vendor_name": "prometheus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-303: Incorrect Implementation of Authentication Algorithm"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"name": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5",
"refsource": "MISC",
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"name": "[oss-security] 20221129 CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"name": "[oss-security] 20221129 Re: CVE-2022-46146 in Prometheus\u0027 exporter toolkit: bypass basic authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
},
{
"name": "FEDORA-2023-cf176d02d8",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
},
{
"name": "FEDORA-2023-1b25579262",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
},
{
"name": "FEDORA-2023-c1318fb7f8",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
},
{
"name": "GLSA-202401-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202401-15"
}
]
},
"source": {
"advisory": "GHSA-7rg2-cxvp-9p7p",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv0.7.2 || \u003e=v0.8.0 \u003cv0.8.2",
"affected_versions": "All versions before 0.7.2, all versions starting from 0.8.0 before 0.8.2",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2023-02-01",
"description": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"fixed_versions": [
"v0.7.2",
"v0.8.2"
],
"identifier": "CVE-2022-46146",
"identifiers": [
"CVE-2022-46146",
"GHSA-7rg2-cxvp-9p7p"
],
"not_impacted": "",
"package_slug": "go/github.com/prometheus/exporter-toolkit",
"pubdate": "2022-11-29",
"solution": "Upgrade to versions 0.7.2, 0.8.2 or above.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-46146",
"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p",
"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5",
"http://www.openwall.com/lists/oss-security/2022/11/29/1",
"http://www.openwall.com/lists/oss-security/2022/11/29/2",
"http://www.openwall.com/lists/oss-security/2022/11/29/4"
],
"uuid": "780d3265-250f-40b6-bd8e-3877dc4d58a7",
"versions": [
{
"commit": {
"sha": "4b760faf1dd6f471488602abfc495d117873c6ca",
"tags": [
"v0.8.0"
],
"timestamp": "20221019072355"
},
"number": "v0.8.0"
},
{
"commit": {
"sha": "c9c27502906e3dc6e9dc4edce795b779aaf1f7e0",
"tags": [
"v0.8.2"
],
"timestamp": "20221129092249"
},
"number": "v0.8.2"
},
{
"commit": {
"sha": "4d4a645bb2c37d9f53297a12f7fdae0809312b91",
"tags": [
"v0.7.2"
],
"timestamp": "20221129092249"
},
"number": "v0.7.2"
}
]
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "715C0429-EE84-443F-B5F2-D2D3F6CE74AD",
"versionEndExcluding": "0.7.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:prometheus:exporter_toolkit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2B307E0-6990-48D5-8AE1-7F4E95EBF8A0",
"versionEndExcluding": "0.8.2",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality."
},
{
"lang": "es",
"value": "Un usuario pod\u00eda eliminar un perfil VPN del cliente m\u00f3vil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La funci\u00f3n lock-warp-switch est\u00e1 habilitada en Zero Trust Platform. Esto llev\u00f3 a eludir las pol\u00edticas y restricciones impuestas a los dispositivos inscritos por la plataforma Zero Trust."
}
],
"id": "CVE-2022-46146",
"lastModified": "2024-01-12T12:15:45.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2022-11-29T14:15:13.283",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y/"
},
{
"source": "security-advisories@github.com",
"url": "https://security.gentoo.org/glsa/202401-15"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
}
}
}
MSRC_CVE-2022-46146
Vulnerability from csaf_microsoft - Published: 2022-11-02 00:00 - Updated: 2026-02-18 01:55Summary
Prometheus Exporter Toolkit vulnerable to basic authentication bypass
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
8.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 18829-17084 | — | ||
| Unresolved product id: 20089-17084 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-46146.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass",
"tracking": {
"current_release_date": "2026-02-18T01:55:34.000Z",
"generator": {
"date": "2026-02-18T11:52:17.130Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2022-46146",
"initial_release_date": "2022-11-02T00:00:00.000Z",
"revision_history": [
{
"date": "2024-09-11T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-02-18T01:55:34.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 prometheus-process-exporter 0.8.2-1",
"product": {
"name": "\u003cazl3 prometheus-process-exporter 0.8.2-1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "azl3 prometheus-process-exporter 0.8.2-1",
"product": {
"name": "azl3 prometheus-process-exporter 0.8.2-1",
"product_id": "18829"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 prometheus-process-exporter 0.7.10-15",
"product": {
"name": "\u003cazl3 prometheus-process-exporter 0.7.10-15",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 prometheus-process-exporter 0.7.10-15",
"product": {
"name": "azl3 prometheus-process-exporter 0.7.10-15",
"product_id": "20089"
}
}
],
"category": "product_name",
"name": "prometheus-process-exporter"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 prometheus-process-exporter 0.8.2-1 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 prometheus-process-exporter 0.8.2-1 as a component of Azure Linux 3.0",
"product_id": "18829-17084"
},
"product_reference": "18829",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 prometheus-process-exporter 0.7.10-15 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 prometheus-process-exporter 0.7.10-15 as a component of Azure Linux 3.0",
"product_id": "20089-17084"
},
"product_reference": "20089",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-46146",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"18829-17084",
"20089-17084"
],
"known_affected": [
"17084-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-46146.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-11T00:00:00.000Z",
"details": "0.8.2-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-2",
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"17084-2",
"17084-1"
]
}
],
"title": "Prometheus Exporter Toolkit vulnerable to basic authentication bypass"
}
]
}
OPENSUSE-SU-2024:12637-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the golang-github-prometheus-node_exporter-1.5.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12637
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the golang-github-prometheus-node_exporter-1.5.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12637",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12637-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-27191 page",
"url": "https://www.suse.com/security/cve/CVE-2022-27191/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-46146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-46146/"
}
],
"title": "golang-github-prometheus-node_exporter-1.5.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12637-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"product": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"product": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"product": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64",
"product": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64",
"product_id": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le"
},
"product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x"
},
"product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
},
"product_reference": "golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-27191",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-27191"
}
],
"notes": [
{
"category": "general",
"text": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-27191",
"url": "https://www.suse.com/security/cve/CVE-2022-27191"
},
{
"category": "external",
"summary": "SUSE Bug 1197284 for CVE-2022-27191",
"url": "https://bugzilla.suse.com/1197284"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-27191"
},
{
"cve": "CVE-2022-46146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-46146"
}
],
"notes": [
{
"category": "general",
"text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-46146",
"url": "https://www.suse.com/security/cve/CVE-2022-46146"
},
{
"category": "external",
"summary": "SUSE Bug 1208046 for CVE-2022-46146",
"url": "https://bugzilla.suse.com/1208046"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-node_exporter-1.5.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-46146"
}
]
}
OPENSUSE-SU-2024:12650-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
golang-github-prometheus-prometheus-2.41.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: golang-github-prometheus-prometheus-2.41.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the golang-github-prometheus-prometheus-2.41.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12650
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "golang-github-prometheus-prometheus-2.41.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the golang-github-prometheus-prometheus-2.41.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12650",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12650-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-46146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-46146/"
}
],
"title": "golang-github-prometheus-prometheus-2.41.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12650-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
"product": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
"product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
"product": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
"product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
"product": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
"product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64",
"product": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64",
"product_id": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64"
},
"product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le"
},
"product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x"
},
"product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
},
"product_reference": "golang-github-prometheus-prometheus-2.41.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-46146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-46146"
}
],
"notes": [
{
"category": "general",
"text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-46146",
"url": "https://www.suse.com/security/cve/CVE-2022-46146"
},
{
"category": "external",
"summary": "SUSE Bug 1208046 for CVE-2022-46146",
"url": "https://bugzilla.suse.com/1208046"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.aarch64",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.ppc64le",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.s390x",
"openSUSE Tumbleweed:golang-github-prometheus-prometheus-2.41.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-46146"
}
]
}
OPENSUSE-SU-2024:12691-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media
Description of the patch: These are all security issues fixed in the prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12691
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12691",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12691-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-46146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-46146/"
}
],
"title": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12691-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
"product": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
"product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
"product": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
"product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
"product": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
"product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64",
"product": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64",
"product_id": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64"
},
"product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le"
},
"product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x"
},
"product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
},
"product_reference": "prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-46146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-46146"
}
],
"notes": [
{
"category": "general",
"text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-46146",
"url": "https://www.suse.com/security/cve/CVE-2022-46146"
},
{
"category": "external",
"summary": "SUSE Bug 1208046 for CVE-2022-46146",
"url": "https://bugzilla.suse.com/1208046"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.aarch64",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.ppc64le",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.s390x",
"openSUSE Tumbleweed:prometheus-ha_cluster_exporter-1.3.1+git.1676027782.ad3c0e9-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-46146"
}
]
}
OPENSUSE-SU-2024:12700-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-8.5.20-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-8.5.20-2.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-8.5.20-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12700
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-8.5.20-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-8.5.20-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12700",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12700-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-46146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-46146/"
}
],
"title": "grafana-8.5.20-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12700-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-2.1.aarch64",
"product": {
"name": "grafana-8.5.20-2.1.aarch64",
"product_id": "grafana-8.5.20-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-2.1.ppc64le",
"product": {
"name": "grafana-8.5.20-2.1.ppc64le",
"product_id": "grafana-8.5.20-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-2.1.s390x",
"product": {
"name": "grafana-8.5.20-2.1.s390x",
"product_id": "grafana-8.5.20-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-2.1.x86_64",
"product": {
"name": "grafana-8.5.20-2.1.x86_64",
"product_id": "grafana-8.5.20-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64"
},
"product_reference": "grafana-8.5.20-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le"
},
"product_reference": "grafana-8.5.20-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x"
},
"product_reference": "grafana-8.5.20-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
},
"product_reference": "grafana-8.5.20-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-46146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-46146"
}
],
"notes": [
{
"category": "general",
"text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-46146",
"url": "https://www.suse.com/security/cve/CVE-2022-46146"
},
{
"category": "external",
"summary": "SUSE Bug 1208046 for CVE-2022-46146",
"url": "https://bugzilla.suse.com/1208046"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-8.5.20-2.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-46146"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…