v3.5.3
📦 prometheusView on GitHub →
🐛 4 fixes🔧 4 symbols
Summary
This release focuses entirely on addressing multiple critical security vulnerabilities related to OAuth secrets, snappy decompression limits, and stored XSS in the old UI.
🐛 Bug Fixes
- Fixed OAuth client_secret exposure in plaintext via the /-/config endpoint during AzureAD remote write operations.
- Prevented Remote-Write requests using snappy compression from exploiting a vulnerability by rejecting requests where the declared decoded length exceeds the decode limit.
- Prevented Remote-Read requests using snappy compression from exploiting a vulnerability by rejecting requests where the declared decoded length exceeds the decode limit.
- Fixed a stored Cross-Site Scripting (XSS) vulnerability in the old UI heatmap chart tick labels caused by unescaped 'le' label values.