8.8
CVE-2022-46146
- EPSS 0.1%
- Published 29.11.2022 14:15:13
- Last modified 21.11.2024 07:30:11
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Data is provided by the National Vulnerability Database (NVD)
Prometheus ≫ Exporter Toolkit Version < 0.7.2
Prometheus ≫ Exporter Toolkit Version >= 0.8.0 < 0.8.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.284 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 6.2 | 2.5 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-303 Incorrect Implementation of Authentication Algorithm
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.