Описание
Security update for golang-github-prometheus-prometheus
This update for golang-github-prometheus-prometheus fixes the following issues:
- CVE-2022-46146: Fixed authentication bypass via cache poisoning in Prometheus Exporter Toolkit (bsc#1208049).
Список пакетов
Container ses/7.1/ceph/prometheus-server:latest
golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
SUSE Manager Proxy Module 4.2
golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
SUSE Manager Proxy Module 4.3
golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
openSUSE Leap 15.4
firewalld-prometheus-config-0.1-150100.4.12.1
golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
Ссылки
- Link for SUSE-SU-2023:1859-1
- E-Mail link for SUSE-SU-2023:1859-1
- SUSE Security Ratings
- SUSE Bug 1208049
- SUSE CVE CVE-2022-46146 page
Описание
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Затронутые продукты
Container ses/7.1/ceph/prometheus-server:latest:golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
SUSE Manager Proxy Module 4.2:golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
SUSE Manager Proxy Module 4.3:golang-github-prometheus-prometheus-2.32.1-150100.4.12.1
openSUSE Leap 15.4:firewalld-prometheus-config-0.1-150100.4.12.1
Ссылки
- CVE-2022-46146
- SUSE Bug 1208046