oss-sec mailing list archives
Re: Voiding CVE-2020-16248
From: Bastian Blank <bblank () thinkmo de>
Date: Sat, 8 Aug 2020 17:21:44 +0200
Hi Richard On Sat, Aug 08, 2020 at 10:49:14AM +0200, Richard Hartmann wrote:
the Prometheus project[1] has received a public "vulnerability" report[2] against what the reporter called SSRF, but what is the core functionality of blackbox_exporter[3]: The ability to trigger network probes over the network to monitor a target's availability.
Could you please explain yourself why you think this is not a vulnerability? Even wanted functuality can constitute a vulnerability if looked on closer. The software allows to send pre-defined requests to arbitrary targets and extract at least parts of the response. This is a typical SSRF. Would you require to specify the allowed targets, noone would ask.
From context, it seems to be a paid assessment of our software for an unnamed client which increases motivation to get "results", in particular CVEs for "zero days" - which are then promptly reported publicly with an embargoed CVE.
Please don't. You just accused the reporter of malpractice on a public forum. JFYI, this is punishable in your jurisdiction. Also embargo and posting a public issue on GitHub don't really mix.
The reporter has not replied to our statement that this behaviour is core functionality. I could not find out which organization has reserved CVE-2020-16248 so I decided to send email to this list to inform the organization, enabling them to update their records.
You did not address the reporter at all. The reporter is also not a regular user of GitHub, where this issue was raised.
Sorry for using this list for that purpose, I could not find a less wrong place to inform the (hopefully) interested parties.
As others already told you, Mitre provides a form to request updates to CVE entries at https://cve.mitre.org/cve/update_cve_entries.html. Regards, Bastian -- Our way is peace. -- Septimus, the Son Worshiper, "Bread and Circuses", stardate 4040.7.
Current thread:
- Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
- Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
- Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
- Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
- Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
- Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
- Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)