{"id":"GO-2022-1130","summary":"Authentication bypass in github.com/prometheus/exporter-toolkit","details":"If an attacker has access to a Prometheus web.yml file and users' bcrypted passwords, it would be possible to bypass security via the built-in authentication cache.","aliases":["CVE-2022-46146","GHSA-7rg2-cxvp-9p7p"],"modified":"2026-02-04T02:15:49.242121Z","published":"2022-11-29T16:33:47Z","related":["CGA-q8cm-w99c-4fj2"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-1130"},"references":[{"type":"ADVISORY","url":"https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"},{"type":"FIX","url":"https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"}],"affected":[{"package":{"name":"github.com/prometheus/exporter-toolkit","ecosystem":"Go","purl":"pkg:golang/github.com/prometheus/exporter-toolkit"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.7.2"},{"introduced":"0.8.0"},{"fixed":"0.8.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Listen","ListenAndServe","Serve","ServeMultiple","webHandler.ServeHTTP"],"path":"github.com/prometheus/exporter-toolkit/web"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1130.json"}}],"schema_version":"1.7.3","credits":[{"name":"Lei Wan"}]}