Name of the Vulnerable Software and Affected Versions Prometheus versions prior to 2.37.4 Prometheus versions prior to 2.40.4

Description A flaw in the implementation of basic authentication in Prometheus allows attackers who know the hashed password to authenticate against Prometheus. This is possible due to a flaw in the exporter toolkit, which enables an attacker to forge a request and poison the internal cache used for hash computation, making subsequent requests successful. The cache is used to limit side channel attacks.

Recommendations For versions prior to 2.37.4, update to Prometheus 2.37.4 or later. For versions prior to 2.40.4, update to Prometheus 2.40.4 or later. As a temporary workaround, consider restricting access to the hashed password stored on disk to minimize the risk of exploitation.