Prometheus 2.37.4 LTS and Prometheus 2.40.4 are available (CVE-2022-46146)

122 views
Skip to first unread message

Julien Pivotto

unread,
Nov 29, 2022, 7:12:30 AM11/29/22
to prometheus-announce
Hello everyone,

Prometheus 2.37.4 and 2.40.4 are out!

Those releases fix a security issue that enabled an attacker that has
access to the content of a web.yml configuration file
(--web.config.file) to bypass basic authentication.
This issue is about our built-in authentication mechanism.

CVE-2022-46146 was assigned to this security report in our exporter
toolkit:
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p

We would like to thank Lei Wan for the responsible disclosure of this
bug.

Prometheus 2.37.4 is part of the 2.37 Long-Term Supported release of
Prometheus, supported for _at least_ until January 2023. See the
approximative schedule and explanations here:
https://prometheus.io/docs/introduction/release-cycle/

The v2.37.4 and v2.40.4 can be found in the usual locations:

- See the full changelog & grab the binaries:
https://github.com/prometheus/prometheus/releases/tag/v2.37.4
https://github.com/prometheus/prometheus/releases/tag/v2.40.4
- See https://quay.io/repository/prometheus/prometheus?tab=tags and
https://hub.docker.com/r/prom/prometheus/tags for container images.

Best regards,

--
Julien Pivotto
@roidelapluie
Reply all
Reply to author
Forward
0 new messages