Re: [prometheus-team] Voiding CVE-2020-16248

[Bartłomiej Płotka <bwplotka () gmail com>]

Thanks for this work Richi, this is quite... interesting that someone might
mark core functionality as CVE.

Kind Regards,
Bartek

On Sat, 8 Aug 2020 at 09:49, Richard Hartmann <richih.mailinglist () gmail com>
wrote:

> Dear all,
>
> the Prometheus project[1] has received a public "vulnerability"
> report[2] against what the reporter called SSRF, but what is the core
> functionality of blackbox_exporter[3]: The ability to trigger network
> probes over the network to monitor a target's availability. The
> reporter stated that CVE-2020-16248 has been assigned. From context,
> it seems to be a paid assessment of our software for an unnamed client
> which increases motivation to get "results", in particular CVEs for
> "zero days" - which are then promptly reported publicly with an
> embargoed CVE.
>
> The reporter has not replied to our statement that this behaviour is
> core functionality. I could not find out which organization has
> reserved CVE-2020-16248 so I decided to send email to this list to
> inform the organization, enabling them to update their records.
>
> Sorry for using this list for that purpose, I could not find a less
> wrong place to inform the (hopefully) interested parties.
>
>
> Best,
> Richard
>
> [1] https://prometheus.io/
> [2] https://github.com/prometheus/blackbox_exporter/issues/669
> [3] https://github.com/prometheus/blackbox_exporter
>
> --
> You received this message because you are subscribed to the Google Groups
> "Prometheus Team" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to prometheus-team+unsubscribe () googlegroups com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/prometheus-team/CAD77%2BgR7G5zBc4pwQ86H-UuMk6QOgPcuK8R-hmmHqv8%2B8_%2Bdbw%40mail.gmail.com
> .