Skip to content

fix: upgrade github.com/prometheus/prometheus to 0.311.3 (CVE-2026-42151)#22983

Open
orbisai0security wants to merge 1 commit into
netdata:masterfrom
orbisai0security:fix-cve-2026-42151-github.com-prometheus-prometheus
Open

fix: upgrade github.com/prometheus/prometheus to 0.311.3 (CVE-2026-42151)#22983
orbisai0security wants to merge 1 commit into
netdata:masterfrom
orbisai0security:fix-cve-2026-42151-github.com-prometheus-prometheus

Conversation

@orbisai0security

@orbisai0security orbisai0security commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Upgrade github.com/prometheus/prometheus from v0.302.0 to 0.311.3 to fix CVE-2026-42151.

Vulnerability

Field Value
ID CVE-2026-42151
Severity HIGH
Scanner trivy
Rule CVE-2026-42151
File src/go/go.mod
Assessment Likely exploitable

Description: github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API

Evidence

Scanner confirmation: trivy rule CVE-2026-42151 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a containerized service - vulnerabilities may be exploitable depending on network exposure.

Changes

  • src/go/go.mod
  • src/go/go.sum

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security


Summary by cubic

Upgrade github.com/prometheus/prometheus to v0.311.3 to fix CVE-2026-42151 (Azure OAuth client secret disclosure via config API). Touches src/go/go.mod and src/go/go.sum; resolves a high-severity finding flagged by trivy.

Written for commit edb9a22. Summary will update on new commits.

Review in cubic

Automated dependency upgrade by OrbisAI Security
@orbisai0security orbisai0security requested a review from ilyam8 as a code owner July 5, 2026 12:20
@sonarqubecloud

sonarqubecloud Bot commented Jul 5, 2026

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.
Architecture diagram
sequenceDiagram
    participant Plugin as Netdata Plugin (go/plugins)
    participant Client as Prometheus Client Library (v0.311.3)
    participant Target as Remote Prometheus Target

    Note over Plugin, Target: Scrape flow (unchanged by version bump)
    Plugin->>Client: Create client with Azure OAuth config
    Client->>Client: CHANGED: Parse config (CVE-2026-42151 fix – suppress secret exposure)
    Client->>Target: HTTP GET /metrics (OAuth token)
    Target-->>Client: Metrics payload
    Client-->>Plugin: Returned parsed metrics
Loading

Re-trigger cubic

@ilyam8

ilyam8 commented Jul 5, 2026

Copy link
Copy Markdown
Member

Not applicable. We only use the parser from the Prometheus package. Also, upgrading the Prometheus package will likely require changes on our side, as they have made API changes.

@github-actions github-actions Bot added area/collectors Everything related to data collection collectors/go.d area/go labels Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/collectors Everything related to data collection area/go collectors/go.d

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants