Source: prometheus X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for prometheus. CVE-2026-42151[0]: | Prometheus is an open-source monitoring system and time series | database. Prior to versions 3.5.3 and 3.11.3, the client_secret | field in the Azure AD remote write OAuth configuration | (storage/remote/azuread) was typed as string instead of Secret. | Prometheus redacts fields of type Secret when serving the | configuration via the /-/config HTTP API endpoint. Because the field | was a plain string, the Azure OAuth client secret was exposed in | plaintext to any user or process with access to that endpoint. This | issue has been patched in versions 3.5.3 and 3.11.3. https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj https://github.com/prometheus/prometheus/pull/18587 https://github.com/prometheus/prometheus/pull/18590 CVE-2026-42154[1]: | Prometheus is an open-source monitoring system and time series | database. Prior to versions 3.5.3 and 3.11.3, the remote read | endpoint (/api/v1/read) does not validate the declared decoded | length in a snappy-compressed request body before allocating memory. | An unauthenticated attacker can send a small payload that causes a | huge heap allocation per request. Under concurrent load this can | exhaust available memory and crash the Prometheus process. This | issue has been patched in versions 3.5.3 and 3.11.3. https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm https://github.com/prometheus/prometheus/pull/18584 https://github.com/prometheus/prometheus/pull/18585 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42151 https://www.cve.org/CVERecord?id=CVE-2026-42151 [1] https://security-tracker.debian.org/tracker/CVE-2026-42154 https://www.cve.org/CVERecord?id=CVE-2026-42154 Please adjust the affected versions in the BTS as needed.
