Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

golang-github-prometheus-exporter-toolkit: CVE-2022-46146

Related Vulnerabilities: CVE-2022-46146  

Source

Debian Bug report logs - #1025127
golang-github-prometheus-exporter-toolkit: CVE-2022-46146

version graph

Package: src:golang-github-prometheus-exporter-toolkit; Maintainer for src:golang-github-prometheus-exporter-toolkit is Debian Go Packaging Team <team+pkg-go@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 29 Nov 2022 21:12:13 UTC

Severity: important

Tags: security, upstream

Found in version golang-github-prometheus-exporter-toolkit/0.8.1-2

Fixed in version golang-github-prometheus-exporter-toolkit/0.8.2-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#1025127; Package src:golang-github-prometheus-exporter-toolkit. (Tue, 29 Nov 2022 21:12:15 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>. (Tue, 29 Nov 2022 21:12:15 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: golang-github-prometheus-exporter-toolkit: CVE-2022-46146
Date: Tue, 29 Nov 2022 22:11:38 +0100
Source: golang-github-prometheus-exporter-toolkit
Version: 0.8.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for
golang-github-prometheus-exporter-toolkit.

CVE-2022-46146[0]:
| Prometheus Exporter Toolkit is a utility package to build exporters.
| Prior to versions 0.7.2 and 0.8.2, i someone has access to a
| Prometheus web.yml file and users' bcrypted passwords, they can bypass
| security by poisoning the built-in authentication cache. Versions
| 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround,
| but attacker must have access to the hashed password to use this
| functionality.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-46146
    https://www.cve.org/CVERecord?id=CVE-2022-46146
[1] https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 30 Nov 2022 05:57:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 30 Nov 2022 05:57:06 GMT) (full text, mbox, link).

Message #10 received at 1025127-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 1025127-done@bugs.debian.org
Cc: team+pkg-go@tracker.debian.org, dswarbrick@debian.org
Subject: Re: Accepted golang-github-prometheus-exporter-toolkit 0.8.2-1 (source) into unstable
Date: Wed, 30 Nov 2022 06:52:50 +0100
Source: golang-github-prometheus-exporter-toolkit
Source-Version: 0.8.2-1

On Wed, Nov 30, 2022 at 04:49:54AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Wed, 30 Nov 2022 04:25:05 +0000
> Source: golang-github-prometheus-exporter-toolkit
> Architecture: source
> Version: 0.8.2-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
> Changed-By: Daniel Swarbrick <dswarbrick@debian.org>
> Changes:
>  golang-github-prometheus-exporter-toolkit (0.8.2-1) unstable; urgency=medium
>  .
>    * New upstream release (fixes CVE-2022-46146)
>    * Add a Breaks prometheus-node-exporter (<< 1.4.1-1) for API break
> Checksums-Sha1:
>  94ecbe02d14564708dd2b8623583d493b134bf89 2711 golang-github-prometheus-exporter-toolkit_0.8.2-1.dsc
>  55abc57e634ced69b52de851b696b18e8cefac9a 62245 golang-github-prometheus-exporter-toolkit_0.8.2.orig.tar.gz
>  83f3ea97a3bae7a94bb3308dcf35e1431f15fb59 3528 golang-github-prometheus-exporter-toolkit_0.8.2-1.debian.tar.xz
>  b399f79fb5389397faf02c7009a00fdb57b6b2c3 8786 golang-github-prometheus-exporter-toolkit_0.8.2-1_amd64.buildinfo
> Checksums-Sha256:
>  edba30486fd59879f12653125e54f7b1055c540cbc97843fa83fac46146b9bdb 2711 golang-github-prometheus-exporter-toolkit_0.8.2-1.dsc
>  f5b32491fc9daca575c4989f6ab2f347ded21d1ca3994503128b97a0211517fd 62245 golang-github-prometheus-exporter-toolkit_0.8.2.orig.tar.gz
>  57ed1affa257e2397aed1bd5bbf65e92b4781f9582e1870302e42bbb47ec0858 3528 golang-github-prometheus-exporter-toolkit_0.8.2-1.debian.tar.xz
>  392409a1b7c4fdd3d098d8a627fbc2832b1600d13242e3311c3090a10cd0bf97 8786 golang-github-prometheus-exporter-toolkit_0.8.2-1_amd64.buildinfo
> Files:
>  b61b49277dedf1b77ffb4eabb040bbec 2711 golang optional golang-github-prometheus-exporter-toolkit_0.8.2-1.dsc
>  9b3d2e9bd9a5d2741f2ca1b5077ad5c6 62245 golang optional golang-github-prometheus-exporter-toolkit_0.8.2.orig.tar.gz
>  da93bd3ea5ca7eaed836208f884e6d40 3528 golang optional golang-github-prometheus-exporter-toolkit_0.8.2-1.debian.tar.xz
>  cae8a13df5bb8e65dfd347fd5cbe6f92 8786 golang optional golang-github-prometheus-exporter-toolkit_0.8.2-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJKBAEBCgA0FiEEMD9oek78sa58GjWjtwAXP7uAWikFAmOG2+0WHGRzd2FyYnJp
> Y2tAZGViaWFuLm9yZwAKCRC3ABc/u4BaKV7QD/9ttqtcO4284q11LrnuQTbcvRXu
> ttcchdHPTwvtbXDGZnOPfR/qxkgRAXxMS2d0BzxVf2fPXASMZKyLojrXHXn9MmEk
> ixq/jpNXjfW7JArbB7vRwEpXdBeksZ28nWol2W/0mn5CLPpSPp2MgGqRXdEu3EAX
> B3+qwzPVD3R8UPCVlEIp2h+mnDQsiWlwRABYrQ3n6LEwoso4A8PP9YqxqcWqzE1o
> niB1ADVaVAzea1ZUhKFRxDJ1il1UaK2mJjF/xqaChDk4omnHffVzdbH60VT2pPTL
> iqX4Y9HBo/c6rvtV2RNFSmIbKpfRehHd65lPKEIdecspe7CL7kIloCrn/F9DpDaZ
> PPsyyOxCYVXNjZPhciSLfSYEycOEPprFCcjQ2AGld9ht7pi1FtV6gtej9WHEmmO+
> BGorWh4EcUhUTDYFdUR30Yrg1Dk70fZEwX9Ht4TS04+v052Ozk2eAniUIbg3wZ0D
> hcOb6JJFvUb1XXV0d5Vw8JPZnq9V3HPjOC12eNpUFQ4YtCR+ES42CkdxFm4JrNId
> IZvkRygCPpm3wdBwvz7Tue7tXGcLoKV4QFl8HpsljIMSP+O107p9jD9kQLQjMx0z
> JjPPQxQowxPDmcM8KEl1dcpg+PD+vxJM6cPeq7j9iADbScCrUNN83i1M0wf3uz+9
> qDtHkFR/uk+8RRnSkg==
> =ATPp
> -----END PGP SIGNATURE-----
>

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Nov 30 07:17:58 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started