A vulnerability has been found in Prometheus SNMP Exporter which could allow for authentication bypass.
|app-metrics/snmp_exporter on all architectures
The Prometheus SNMP Exporter is the recommended way to expose SNMP data in a format which Prometheus can ingest.
A vulnerability has been discovered in Prometheus SNMP Exporter. Please review the CVE identifier referenced below for details.
A user who knows the password hash of a user capable of performing HTTP basic authentication with a vulnerable exporter can use the hash to successfully authenticate as that user via cache manipulation, without knowing the password from which the hash was derived.
There is no known workaround at this time.
All Prometheus SNMP Exporter users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-metrics/snmp_exporter-0.24.1"
January 12, 2024
January 12, 2024: 1