CVE-2022-46146 — Improper Authentication in Exporter-toolkit

CWE-287 — Improper Authentication CWE-303 — Incorrect Implementation of Authentication Algorithm CWE-305 — Authentication Bypass by Primary Weakness9 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 56.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prometheus Exporter-toolkit Github.com Prometheus Exporter-toolkit Prometheus Exporter Toolkit +5 more

Timeline

PublishedNov 29

Latest updateNov 14

Description

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5prometheus/exporter-toolkit< 0.7.2+1

▶NVDprometheus/exporter_toolkit0.8.0 — 0.8.2+1

▶Gogithub.com/prometheus_exporter-toolkit0.8.0 — 0.8.2+1

▶debiandebian/golang-github-prometheus-exporter-toolkit< golang-github-prometheus-exporter-toolkit 0.8.2-1 (bookworm)

▶msrcmsrc/azl3_prometheus-process-exporter_0.8.2-1_on_azure_linux_3.0

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Prometheus Exporter-Toolkit is vulnerable to authentication bypass↗2022-12-02

▶

GHSA

Prometheus Exporter-Toolkit is vulnerable to authentication bypass↗2022-12-02

▶

OSV

Authentication bypass in github.com/prometheus/exporter-toolkit↗2022-11-29

▶

OSV

CVE-2022-46146: Prometheus Exporter Toolkit is a utility package to build exporters↗2022-11-29

▶

📋Vendor Advisories

Red Hat

exporter-toolkit: authentication bypass via cache poisoning↗2022-11-29

▶

Microsoft

Prometheus Exporter Toolkit vulnerable to basic authentication bypass↗2022-11-08

▶

Debian

CVE-2022-46146: golang-github-prometheus-exporter-toolkit - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to ve...↗2022

▶

📄Research Papers

arXiv

PATCHEVAL: A New Benchmark for Evaluating LLMs on Patching Real-World Vulnerabilities↗2025-11-14

▶