Date: Sat, 4 Feb 2023 19:11:52 GMT From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 5544ae86f3ff - main - security/vuxml: Register sysutils/node_exporter vulnerability Message-ID: <202302041911.314JBqIg061339@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=5544ae86f3ff0b781f29b81283c0543a3b7581be commit 5544ae86f3ff0b781f29b81283c0543a3b7581be Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2023-02-04 19:04:32 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2023-02-04 19:04:32 +0000 security/vuxml: Register sysutils/node_exporter vulnerability CVE-2022-46146 Note that in https://cgit.freebsd.org/ports/commit/?id=8b5d2b9a9ec7985158a814e2cdf9022d785b9090 three CVEs are mentioned: CVE-2022-27191 CVE-2022-27664 CVE-2022-46146 However, according to: https://github.com/prometheus/node_exporter/pull/2488 node_exported is not really affected by those Go vulnerabilities. However the dependencies were bumped anyway. --- security/vuxml/vuln/2023.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 8175d88e27b4..807eceae5259 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,44 @@ + <vuln vid="d835c54f-a4bd-11ed-b6af-b42e991fc52e"> + <topic>node_exporter -- bypass security with cache poisoning</topic> + <affects> + <package> + <name>node_exporter</name> + <range><lt>1.5.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Prometheus team reports:</p> + <blockquote cite="https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"> + <p> + Prometheus and its exporters can be secured by a web.yml file that + specifies usernames and hashed passwords for basic authentication. + Passwords are hashed with bcrypt, which means that even if you have + access to the hash, it is very hard to find the original password + back. Passwords are hashed with bcrypt, which means that even if you + have access to the hash, it is very hard to find the original + password back. However, a flaw in the way this mechanism was + implemented in the exporter toolkit makes it possible with people + who know the hashed password to authenticate against Prometheus. + A request can be forged by an attacker to poison the internal cache + used to cache the computation of hashes and make subsequent requests + successful. This cache is used in both happy and unhappy scenarios + in order to limit side channel attacks that could tell an attacker + if a user is present in the file or not. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-46146</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46146</url> + </references> + <dates> + <discovery>2021-11-28</discovery> + <entry>2023-02-04</entry> + </dates> + </vuln> + <vuln vid="8dd438ed-a338-11ed-b48b-589cfc0f81b0"> <topic>Asterisk -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302041911.314JBqIg061339>