Prometheus Azure AD OAuth Client Secret Exposure Vulnerability

A vulnerability exists in Prometheus versions 2.48.0 prior to 3.5.3 and 3.6.0 prior to 3.11.3, where the client_secret field in the Azure AD remote write OAuth configuration was incorrectly typed as a plain string instead of as a Secret. This misconfiguration allowed the Azure OAuth client secret to be exposed in plaintext through the /-/config HTTP API endpoint, accessible to any user or process with permission to that endpoint. The issue has been resolved in versions 3.5.3 and 3.11.3.

Impact

The vulnerability allows for unauthorized exposure of the Azure AD OAuth client secret, which could lead to unauthorized access or actions on behalf of the user or application associated with the client secret.

Remediation

Users should upgrade to Prometheus version 3.11.3 or 3.5.3 LTS. For those unable to upgrade, switching to Managed Identity or Workload Identity authentication for Azure AD remote write can be a temporary workaround, as these methods do not require a client secret.