漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Prometheus Azure AD remote write OAuth client secret exposed via config API
Vulnerability Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Prometheus 信息泄露漏洞
Vulnerability Description
Prometheus是Prometheus开源的一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。 Prometheus 3.5.3之前版本和3.11.3之前版本存在信息泄露漏洞,该漏洞源于Azure AD远程写入OAuth配置中client_secret字段类型为字符串而非Secret,可能导致Azure OAuth客户端密钥以明文形式暴露。
CVSS Information
N/A
Vulnerability Type
N/A