CVE-2022-46146— Prometheus Exporter Toolkit vulnerable to basic authentication bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-46146
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Prometheus Exporter Toolkit vulnerable to basic authentication bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证算法的不正确实现
Source: NVD (National Vulnerability Database)
Vulnerability Title
Prometheus 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。 Prometheus Exporter Toolkit 0.7版本至0.7.2之前版本、0.8版本至0.8.2之前版本存在安全漏洞。攻击者利用该漏洞获取文件和用户的加密密码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| prometheus | exporter-toolkit | < 0.7.2 | - |
II. Public POCs for CVE-2022-46146
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-46146
请登录查看更多情报信息。
- https://security.gentoo.org/glsa/202401-15vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-46146
IV. Related Vulnerabilities
Same vendor: prometheus
- CVE-2026-42154
Prometheus: remote read endpoint allows denial of service vi - CVE-2026-42151
Prometheus Azure AD remote write OAuth client secret exposed - CVE-2026-40179
Prometheus: Stored XSS via metric names and label values in - CVE-2023-40577
Alertmanager UI is vulnerable to stored XSS via the /api/v1/ - CVE-2022-21698
Uncontrolled Resource Consumption in promhttp
Same weakness: CWE-303
- CVE-2026-33190
CoreDNS TSIG authentication bypass on encrypted DNS transpor - CVE-2026-27656
Account Takeover via Substring Matching in OpenID Connect Au - CVE-2026-32953
Tillitis: TKey Client has an Error in Protocol Implementatio - CVE-2026-29515
MiCode FileExplorer SwiFTP Server Authentication Bypass - CVE-2019-25436
Sricam DeviceViewer 3.12.0.1 Password Change Security Bypass
V. Comments for CVE-2022-46146
No comments yet