Prometheus 2.37.4 LTS and Prometheus 2.40.4 are available (CVE-2022-46146)
122 views
Skip to first unread message
Julien Pivotto
unread,
Nov 29, 2022, 7:12:30 AM11/29/22
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to prometheus-announce
Hello everyone,
Prometheus 2.37.4 and 2.40.4 are out!
Those releases fix a security issue that enabled an attacker that has
access to the content of a web.yml configuration file
(--web.config.file) to bypass basic authentication.
This issue is about our built-in authentication mechanism.
We would like to thank Lei Wan for the responsible disclosure of this
bug.
Prometheus 2.37.4 is part of the 2.37 Long-Term Supported release of
Prometheus, supported for _at least_ until January 2023. See the
approximative schedule and explanations here:
https://prometheus.io/docs/introduction/release-cycle/
The v2.37.4 and v2.40.4 can be found in the usual locations: