oss-sec mailing list archives
Re: Voiding CVE-2020-16248
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 8 Aug 2020 12:09:09 +0200
FWIW while I don't particularly care about the CVE assignment issue, I think there is a valuable discussion to have here. I feel the issue here is that with SSRF there often seems to be some kind of difficulty to pinpoint whether something is actually a flaw or an intended feature and who's to blame. Ultimately these issues come down to this: * There's an expectation that network requests originating from localhost (or from a tightly controlled internal network IP) can be considered trustworthy and are performed by someone/something with some form of local authority. * However that's not necessarily true as you may have many applications that do outgoing network requests that in a variety of ways can be controlled by an attacker. I feel this is somehow also similar to fights between network security thinking and endpoint security thinking that we can see elsewhere. (e.g. the whole TLS interception debate.) -- Hanno Böck https://hboeck.de/
Current thread:
- Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
- Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
- Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
- Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
- Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
- Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
- Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)