8.8

CVE-2022-46146

Exploit
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PrometheusExporter Toolkit Version < 0.7.2
PrometheusExporter Toolkit Version >= 0.8.0 < 0.8.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.329
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 6.2 2.5 3.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

http://www.openwall.com/lists/oss-security/2022/11/29/1
Third Party Advisory
Exploit
Mailing List
http://www.openwall.com/lists/oss-security/2022/11/29/2
Patch
Third Party Advisory
Exploit
Mailing List
http://www.openwall.com/lists/oss-security/2022/11/29/4
Patch
Third Party Advisory
Exploit
Mailing List