Change8

v3.5.3

📦 prometheusView on GitHub →
🐛 4 fixes🔧 4 symbols

Summary

This release focuses entirely on addressing multiple critical security vulnerabilities related to OAuth secrets, snappy decompression limits, and stored XSS in the old UI.

🐛 Bug Fixes

  • Fixed OAuth client_secret exposure in plaintext via the /-/config endpoint during AzureAD remote write operations.
  • Prevented Remote-Write requests using snappy compression from exploiting a vulnerability by rejecting requests where the declared decoded length exceeds the decode limit.
  • Prevented Remote-Read requests using snappy compression from exploiting a vulnerability by rejecting requests where the declared decoded length exceeds the decode limit.
  • Fixed a stored Cross-Site Scripting (XSS) vulnerability in the old UI heatmap chart tick labels caused by unescaped 'le' label values.

Affected Symbols