CVE-2022-46156: Default installation of `synthetic-monitoring-agent` exposes sensitive information
Users running the Synthetic Monitoring agent in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed thru a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks.
References
- github.com/advisories/GHSA-9j4f-f249-q5w8
- github.com/grafana/synthetic-monitoring-agent
- github.com/grafana/synthetic-monitoring-agent/commit/d8dc7f9c1c641881cbcf0a09e178b90ebf0f0228
- github.com/grafana/synthetic-monitoring-agent/pull/373
- github.com/grafana/synthetic-monitoring-agent/pull/374
- github.com/grafana/synthetic-monitoring-agent/pull/375
- github.com/grafana/synthetic-monitoring-agent/releases/tag/v0.12.0
- github.com/grafana/synthetic-monitoring-agent/security/advisories/GHSA-9j4f-f249-q5w8
- nvd.nist.gov/vuln/detail/CVE-2022-46156
- pkg.go.dev/vuln/GO-2022-1132
Detect and mitigate CVE-2022-46156 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →