CVE-2022-46146 – Prometheus Exporter Toolkit vulnerable to basic authentication bypass

https://notcve.org/view.php?id=CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. Un usuario podía eliminar un perfil VPN del cliente móvil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La función lock-warp-switch está habilitada en Zero Trust Platform. • http://www.openwall.com/lists/oss-security/2022/11/29/1 http://www.openwall.com/lists/oss-security/2022/11/29/2 http://www.openwall.com/lists/oss-security/2022/11/29/4 https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26 https://lists.fedoraproject.org/archi • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm CWE-305: Authentication Bypass by Primary Weakness •