Skip to content

remote/azuread: use Secret type for OAuth client_secret#18587

Merged
roidelapluie merged 1 commit into
prometheus:release-3.5from
roidelapluie:roidelapluie/azadsecret-lts
Apr 27, 2026
Merged

remote/azuread: use Secret type for OAuth client_secret#18587
roidelapluie merged 1 commit into
prometheus:release-3.5from
roidelapluie:roidelapluie/azadsecret-lts

Conversation

@roidelapluie

Copy link
Copy Markdown
Member

The ClientSecret field in OAuthConfig was typed as plain string, causing it to be exposed in plaintext via the /-/config HTTP endpoint. Change it to config_util.Secret so Prometheus redacts it as .

Fixes GHSA-wg65-39gg-5wfj.

Which issue(s) does the PR fix:

Release notes for end users (ALL commits must be considered).

Reviewers should verify clarity and quality.

[SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint.

The ClientSecret field in OAuthConfig was typed as plain string,
causing it to be exposed in plaintext via the /-/config HTTP endpoint.
Change it to config_util.Secret so Prometheus redacts it as <secret>.

Signed-off-by: Julien Pivotto <[email protected]>

@krajorama krajorama left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stamp, based off #18586

@roidelapluie
roidelapluie merged commit cb493a4 into prometheus:release-3.5 Apr 27, 2026
31 checks passed
@openshift-merge-robot

Copy link
Copy Markdown

Fix included in release 5.0.0-0.nightly-2026-07-01-125918

@openshift-merge-robot

Copy link
Copy Markdown

Fix included in release 4.22.0-0.nightly-2026-07-03-024128

openshift-merge-bot Bot pushed a commit to stolostron/thanos that referenced this pull request Jul 8, 2026
Use a replace directive to point github.com/prometheus/prometheus to
stolostron/prometheus@cve-2026-42151-v0.308.0 which contains the
upstream fix (prometheus/prometheus#18587) cherry-picked onto v0.308.0.

The fix changes ClientSecret in the Azure AD OAuth config from string
to config.Secret so that it is properly redacted by the /-/config API
endpoint.

Ref: GHSA-wg65-39gg-5wfj
Ref: ACM-36251

Signed-off-by: Coleen Iona Quadros <[email protected]>
Signed-off-by: Coleen Iona Quadros <[email protected]>
coleenquadros added a commit to stolostron/multicluster-observability-operator that referenced this pull request Jul 9, 2026
Bump github.com/prometheus/prometheus from v0.305.0 to v0.305.3 to fix
CVE-2026-42151 (GHSA-wg65-39gg-5wfj): Prometheus Azure AD remote write
OAuth client_secret was exposed via config API because the ClientSecret
field in storage/remote/azuread OAuthConfig was typed as string instead
of config_util.Secret, bypassing redaction.

Upstream fix: prometheus/prometheus#18587, #18590
Jira: ACM-36210, ACM-36241, ACM-36249, ACM-36250

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Signed-off-by: Coleen Iona Quadros <[email protected]>
coleenquadros added a commit to stolostron/multicluster-observability-operator that referenced this pull request Jul 9, 2026
Bump github.com/prometheus/prometheus from v0.305.0 to v0.305.3 to fix
CVE-2026-42151 (GHSA-wg65-39gg-5wfj): Prometheus Azure AD remote write
OAuth client_secret was exposed via config API because the ClientSecret
field in storage/remote/azuread OAuthConfig was typed as string instead
of config_util.Secret, bypassing redaction.

Upstream fix: prometheus/prometheus#18587, #18590
Jira: ACM-36210, ACM-36241, ACM-36249, ACM-36250

Signed-off-by: Coleen Iona Quadros <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants