Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-202401-15
HistoryJan 12, 2024 - 12:00 a.m.

Prometheus SNMP Exporter: Basic Authentication Bypass

2024-01-1200:00:00
Gentoo Foundation
security.gentoo.org
19
prometheus
snmp exporter
authentication bypass
vulnerability
upgrade

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

77.6%

JSON

Background

The Prometheus SNMP Exporter is the recommended way to expose SNMP data in a format which Prometheus can ingest.

Description

A vulnerability has been discovered in Prometheus SNMP Exporter. Please review the CVE identifier referenced below for details.

Impact

A user who knows the password hash of a user capable of performing HTTP basic authentication with a vulnerable exporter can use the hash to successfully authenticate as that user via cache manipulation, without knowing the password from which the hash was derived.

Workaround

There is no known workaround at this time.

Resolution

All Prometheus SNMP Exporter users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-metrics/snmp_exporter-0.24.1"
OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-metrics/snmp_exporter< 0.24.1UNKNOWN

Related

fedora 9
osv 3
nessus 20
prion 1
cgr 1
cvelist 1
github 1
freebsd 2
openvas 18
redhatcve 1
debiancve 1
veracode 1
ubuntucve 1
cnvd 1
alpinelinux 1
nvd 1
cve 1
redhat 3
fedora
fedora
[SECURITY] Fedora 37 Update: golang-github-xhit-str2duration-2.1.0-3.fc37
2023-09-21 01:22:17
[SECURITY] Fedora 39 Update: golang-gopkg-alecthomas-kingpin-2-2.3.2-1.fc39
2023-09-20 00:20:44
[SECURITY] Fedora 39 Update: golang-github-prometheus-exporter-toolkit-0.10.0-1.fc39
2023-09-20 00:20:43
osv
osv
Authentication bypass in github.com/prometheus/exporter-toolkit
2022-11-29 16:33:47
Prometheus Exporter-Toolkit is vulnerable to authentication bypass
2022-12-02 22:25:46
CVE-2022-46146
2022-11-29 14:15:13
nessus
nessus
SUSE SLES12 Security Update : prometheus-ha_cluster_exporter (SUSE-SU-2023:0467-1)
2023-02-22 00:00:00
Fedora 39 : golang-github-prometheus-exporter-toolkit / etc (2023-cf176d02d8)
2023-11-07 00:00:00
FreeBSD : node_exporter -- bypass security with cache poisoning (d835c54f-a4bd-11ed-b6af-b42e991fc52e)
2023-02-04 00:00:00
prion
prion
Design/Logic Flaw
2022-11-29 14:15:00
cgr
cgr
CVE-2022-46146 vulnerabilities
2024-05-19 03:07:16
cvelist
cvelist
CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass
2022-11-29 00:00:00
github
github
Prometheus Exporter-Toolkit is vulnerable to authentication bypass
2022-12-02 22:25:46
freebsd
freebsd
prometheus2 -- basic authentication bypass
2022-11-28 00:00:00
node_exporter -- bypass security with cache poisoning
2021-11-28 00:00:00
openvas
openvas
Fedora: Security Advisory for golang-github-prometheus-exporter-toolkit (FEDORA-2023-c1318fb7f8)
2023-09-22 00:00:00
Fedora: Security Advisory for golang-gopkg-alecthomas-kingpin-2 (FEDORA-2023-1b25579262)
2023-09-22 00:00:00
openSUSE: Security Advisory for prometheus (SUSE-SU-2023:0465-1)
2024-03-04 00:00:00
redhatcve
redhatcve
CVE-2022-46146
2022-11-29 21:56:18
debiancve
debiancve
CVE-2022-46146
2022-11-29 14:15:13
veracode
veracode
Authentication Bypass
2022-11-30 03:28:11
ubuntucve
ubuntucve
CVE-2022-46146
2022-11-29 00:00:00
cnvd
cnvd
Unspecified vulnerability in prometheus exporter_toolkit
2022-12-01 00:00:00
alpinelinux
alpinelinux
CVE-2022-46146
2022-11-29 14:15:13
nvd
nvd
CVE-2022-46146
2022-11-29 14:15:13
cve
cve
CVE-2022-46146
2022-11-29 14:15:13
redhat
redhat
(RHSA-2023:2110) Moderate: OpenShift Container Platform 4.12.16 security update
2023-05-10 14:41:37
(RHSA-2023:5001) Moderate: OpenShift Container Platform 4.11.49 bug fix and security update
2023-09-13 05:13:22
(RHSA-2023:1326) Important: OpenShift Container Platform 4.13.0 security update
2023-05-17 22:28:04

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

77.6%

JSON
Related for GLSA-202401-15
fedora9osv3nessus20prion1cgr1cvelist1github1freebsd2openvas18redhatcve1debiancve1veracode1ubuntucve1cnvd1alpinelinux1nvd1cve1redhat3