oss-sec mailing list archives

Re: Voiding CVE-2020-16248

From: Hanno Böck <hanno () hboeck de>
Date: Sat, 8 Aug 2020 12:09:09 +0200

FWIW while I don't particularly care about the CVE assignment issue, I
think there is a valuable discussion to have here.

I feel the issue here is that with SSRF there often seems to be some
kind of difficulty to pinpoint whether something is actually a flaw or
an intended feature and who's to blame.

Ultimately these issues come down to this:
* There's an expectation that network requests originating from
  localhost (or from a tightly controlled internal network IP) can be
  considered trustworthy and are performed by someone/something with
  some form of local authority.
* However that's not necessarily true as you may have many applications
  that do outgoing network requests that in a variety of ways can be
  controlled by an attacker.

I feel this is somehow also similar to fights between network security
thinking and endpoint security thinking that we can see elsewhere.
(e.g. the whole TLS interception debate.)

-- 
Hanno Böck
https://hboeck.de/

Current thread:

Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
- Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
  - Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
- Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
  - Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
- Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
  - Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
  - Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)