Prometheus Exporter-Toolkit is vulnerable to authentication bypass

Impact Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw ...

GHSA-7RG2-CXVP-9P7P vulnerabilities

Vulnerabilities for packages: prometheus-pushgateway-fips, prometheus-pushgateway, kube-state-metrics...

GHSA-7RG2-CXVP-9P7P Prometheus Exporter-Toolkit is vulnerable to authentication bypass

Impact Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication. Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back. However, a flaw ...

Unspecified vulnerability in prometheus exporter_toolkit

Prometheus is open source software written in the Go language for recording real-time metrics from time series databases built using the HTTP pull model. An unspecified vulnerability exists in Prometheus Exporter Toolkit versions 0.7.2 and prior to 0.8.2, which can be exploited by an attacker to...

Authentication Bypass

github.com/prometheus/exporter-toolkit is vulnerable to authentication bypass. It is possible to bypass the security mechanisms by poisoning the built-in authentication cache when an attacker has access to the web.yml file and user's hashed bcrypted passwords...

CVE-2022-46146

A flaw was found in exporter-toolkit. A request can be forged by an attacker to poison the internal cache used to cache hashes and make subsequent successful requests. This cache is used to limit side channel attacks that could tell an attacker if a user is present in the file or not. Prometheus...

GO-2022-1130 Authentication bypass in github.com/prometheus/exporter-toolkit

If an attacker has access to a Prometheus web.yml file and users' bcrypted passwords, it would be possible to bypass security via the built-in authentication cache...

AZL-41992 CVE-2022-46146 affecting package prometheus-process-exporter for versions less than 0.8.2-1

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146 vulnerabilities

Vulnerabilities for packages: prometheus-pushgateway-fips, prometheus-pushgateway, kube-state-metrics...

DEBIAN-CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

Design/Logic Flaw

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

UBUNTU-CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

Prometheus 安全漏洞

Prometheus is open source software written in the Go language for recording real-time metrics from time series databases built using the HTTP pull model. An unspecified vulnerability exists in Prometheus Exporter Toolkit versions 0.7.2 and prior to 0.8.2, which can be exploited by an attacker to...

CVE-2022-46146

CVE-2022-46146 affects Prometheus Exporter Toolkit prior to 0.7.2 and 0.8.2; attackers with access to the Prometheus web.yml and hashed passwords can poison the built-in authentication cache. A fix exists in 0.7.2 and 0.8.2. Attacker needs access to the hashed password to exploit. Upgrade to 0.7....

CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146 Prometheus Exporter Toolkit vulnerable to basic authentication bypass

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...