#VU69691 Use of Password Hash Instead of Password for Authentication in prometheus - CVE-2022-46146

Cybersecurity Help s.r.o.

Published: 2022-11-29 | Updated: 2022-11-30

Vulnerability identifier: #VU69691

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-46146

CWE-ID: CWE-836

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
prometheus
Other software / Other software solutions

Vendor: Prometheus

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to incorrect implementation of basic authentication. A remote attacker with knowledge of the password hash can authenticate against Prometheus without actual knowledge of the password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

prometheus: 2.24.1 - 2.29.2, 2.30.0 - 2.39.2, 2.40.0 - 2.40.3

External links
https://github.com/prometheus/prometheus/security/advisories/GHSA-4v48-4q5m-8vx4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for SUSE Manager Server 4.2

SUSE update for golang-github-prometheus-prometheus

SUSE update for SUSE Manager 4.3: Server

SUSE update for Security Beta update for SUSE Manager Client Tools

SUSE update for Security Beta update for SUSE Manager Client Tools and Salt

SUSE update for SUSE Manager Client Tools

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.11

Fedora 37 update for golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, golang-gopkg-alecthomas-kingpin-2