Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Prometheus SNMP Exporter: Basic Authentication Bypass — GLSA 202401-15

A vulnerability has been found in Prometheus SNMP Exporter which could allow for authentication bypass.

Affected packages

Package app-metrics/snmp_exporter on all architectures
Affected versions < 0.24.1
Unaffected versions >= 0.24.1

Background

The Prometheus SNMP Exporter is the recommended way to expose SNMP data in a format which Prometheus can ingest.

Description

A vulnerability has been discovered in Prometheus SNMP Exporter. Please review the CVE identifier referenced below for details.

Impact

A user who knows the password hash of a user capable of performing HTTP basic authentication with a vulnerable exporter can use the hash to successfully authenticate as that user via cache manipulation, without knowing the password from which the hash was derived.

Workaround

There is no known workaround at this time.

Resolution

All Prometheus SNMP Exporter users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-metrics/snmp_exporter-0.24.1"

References

Release date
January 12, 2024

Latest revision
January 12, 2024: 1

Severity
low

Exploitable
remote

Bugzilla entries