oss-sec mailing list archives
Voiding CVE-2020-16248
From: Richard Hartmann <richih.mailinglist () gmail com>
Date: Sat, 8 Aug 2020 10:49:14 +0200
Dear all, the Prometheus project[1] has received a public "vulnerability" report[2] against what the reporter called SSRF, but what is the core functionality of blackbox_exporter[3]: The ability to trigger network probes over the network to monitor a target's availability. The reporter stated that CVE-2020-16248 has been assigned. From context, it seems to be a paid assessment of our software for an unnamed client which increases motivation to get "results", in particular CVEs for "zero days" - which are then promptly reported publicly with an embargoed CVE. The reporter has not replied to our statement that this behaviour is core functionality. I could not find out which organization has reserved CVE-2020-16248 so I decided to send email to this list to inform the organization, enabling them to update their records. Sorry for using this list for that purpose, I could not find a less wrong place to inform the (hopefully) interested parties. Best, Richard [1] https://prometheus.io/ [2] https://github.com/prometheus/blackbox_exporter/issues/669 [3] https://github.com/prometheus/blackbox_exporter
Current thread:
- Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
- Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
- Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
- Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
- Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
- Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
- Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)