Lei Wan

**Name of the Vulnerable Software and Affected Versions** Prometheus Exporter Toolkit versions prior to 0.7.2 and 0.8.2 **Description** The issue is related to the implementation of the bcrypt hashing algorithm in the Prometheus Exporter Toolkit, which can be exploited to bypass authentication when handling the web.yml file. An attacker with access to the hashed password can poison the internal authentication cache, allowing them to authenticate against Prometheus. The attacker must have access to the hashed password, stored on disk, to bypass the authentication. **Recommendations** For versions prior to 0.7.2, update to version 0.7.2 or later. For versions prior to 0.8.2, update to version 0.8.2 or later. As a temporary workaround, consider restricting access to the hashed password to minimize the risk of exploitation. Restrict access to the web.yml file to prevent attackers from obtaining the necessary information to bypass authentication.