Skip to content

remote/azuread: use Secret type for OAuth client_secret#18590

Merged
roidelapluie merged 1 commit into
prometheus:release-3.11from
roidelapluie:roidelapluie/azadsecret
Apr 27, 2026
Merged

remote/azuread: use Secret type for OAuth client_secret#18590
roidelapluie merged 1 commit into
prometheus:release-3.11from
roidelapluie:roidelapluie/azadsecret

Conversation

@roidelapluie

@roidelapluie roidelapluie commented Apr 27, 2026

Copy link
Copy Markdown
Member

The ClientSecret field in OAuthConfig was typed as plain string, causing it to be exposed in plaintext via the /-/config HTTP endpoint. Change it to config_util.Secret so Prometheus redacts it as .

Which issue(s) does the PR fix:

Release notes for end users (ALL commits must be considered).

Reviewers should verify clarity and quality.

[SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint.

The ClientSecret field in OAuthConfig was typed as plain string,
causing it to be exposed in plaintext via the /-/config HTTP endpoint.
Change it to config_util.Secret so Prometheus redacts it as <secret>.

Signed-off-by: Julien Pivotto <[email protected]>

@krajorama krajorama left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stamp, based off #18586

@roidelapluie
roidelapluie enabled auto-merge April 27, 2026 11:39
@roidelapluie
roidelapluie merged commit 26dae7f into prometheus:release-3.11 Apr 27, 2026
69 of 71 checks passed
eleboucher pushed a commit to eleboucher/homelab that referenced this pull request Apr 28, 2026
… v3.11.3) (#303)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [quay.io/prometheus/prometheus](https://github.com/prometheus/prometheus) | patch | `v3.11.2` → `v3.11.3` |

---

### Release Notes

<details>
<summary>prometheus/prometheus (quay.io/prometheus/prometheus)</summary>

### [`v3.11.3`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3): 3.11.3 / 2026-04-27

[Compare Source](prometheus/prometheus@v3.11.2...v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@&#8203;iiihaiii](https://github.com/iiihaiii) and [@&#8203;Ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#&#8203;18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#&#8203;18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#&#8203;18588](prometheus/prometheus#18588)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->

Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/303
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 1, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 2, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request May 2, 2026
##### [\`v3.11.3\`](https://github.com/prometheus/prometheus/releases/tag/v3.11.3)

This release fixes mutiple security issues.

We would like to thank the following people for the responsible disclosures:

- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.

- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.

- [@iiihaiii](https://github.com/iiihaiii) and [@ngocnn97](https://github.com/Ngocnn97) for the Old UI XSS vulnerability.

- \[SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 [#18590](prometheus/prometheus#18590)

- \[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 [#18584](prometheus/prometheus#18584)

- \[SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 [#18588](prometheus/prometheus#18588)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@openshift-merge-robot

Copy link
Copy Markdown

Fix included in release 5.0.0-0.nightly-2026-07-01-125918

@openshift-merge-robot

Copy link
Copy Markdown

Fix included in release 4.22.0-0.nightly-2026-07-03-024128

openshift-merge-bot Bot pushed a commit to stolostron/thanos-receive-controller that referenced this pull request Jul 8, 2026
CVE-2026-42151 (GHSA-wg65-39gg-5wfj): Prometheus Azure AD remote write
OAuth client_secret exposed via config API. The client_secret field in
OAuthConfig was typed as string instead of config.Secret, causing it to
be returned in plaintext through the /-/config endpoint.

The upstream fix is in prometheus v0.311.3, but that version removed the
tsdb/errors package (starting in v0.310.0) which thanos v0.41.0 depends
on. Until thanos is updated, this uses a replace directive pointing to
stolostron/prometheus with the fix cherry-picked onto v0.308.0.

Ref: GHSA-wg65-39gg-5wfj
Ref: prometheus/prometheus#18590
Jira: ACM-36252

Signed-off-by: Coleen Iona Quadros <[email protected]>
Signed-off-by: Coleen Iona Quadros <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants