oss-sec mailing list archives

Voiding CVE-2020-16248

From: Richard Hartmann <richih.mailinglist () gmail com>
Date: Sat, 8 Aug 2020 10:49:14 +0200

Dear all,

the Prometheus project[1] has received a public "vulnerability"
report[2] against what the reporter called SSRF, but what is the core
functionality of blackbox_exporter[3]: The ability to trigger network
probes over the network to monitor a target's availability. The
reporter stated that CVE-2020-16248 has been assigned. From context,
it seems to be a paid assessment of our software for an unnamed client
which increases motivation to get "results", in particular CVEs for
"zero days" - which are then promptly reported publicly with an
embargoed CVE.

The reporter has not replied to our statement that this behaviour is
core functionality. I could not find out which organization has
reserved CVE-2020-16248 so I decided to send email to this list to
inform the organization, enabling them to update their records.

Sorry for using this list for that purpose, I could not find a less
wrong place to inform the (hopefully) interested parties.


Best,
Richard

[1] https://prometheus.io/
[2] https://github.com/prometheus/blackbox_exporter/issues/669
[3] https://github.com/prometheus/blackbox_exporter

Current thread:

Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
- Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
  - Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
- Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
  - Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
- Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
  - Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
  - Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)