<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Voiding CVE-2020-16248
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Bastian Blank <bblank () thinkmo de>
Date: Sat, 8 Aug 2020 17:21:44 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi Richard
On Sat, Aug 08, 2020 at 10:49:14AM +0200, Richard Hartmann wrote:
the Prometheus project[1] has received a public "vulnerability"
report[2] against what the reporter called SSRF, but what is the core
functionality of blackbox_exporter[3]: The ability to trigger network
probes over the network to monitor a target's availability.
Could you please explain yourself why you think this is not a
vulnerability? Even wanted functuality can constitute a vulnerability
if looked on closer.
The software allows to send pre-defined requests to arbitrary targets
and extract at least parts of the response. This is a typical SSRF.
Would you require to specify the allowed targets, noone would ask.
From context,
it seems to be a paid assessment of our software for an unnamed client
which increases motivation to get "results", in particular CVEs for
"zero days" - which are then promptly reported publicly with an
embargoed CVE.
Please don't. You just accused the reporter of malpractice on a public
forum. JFYI, this is punishable in your jurisdiction.
Also embargo and posting a public issue on GitHub don't really mix.
The reporter has not replied to our statement that this behaviour is
core functionality. I could not find out which organization has
reserved CVE-2020-16248 so I decided to send email to this list to
inform the organization, enabling them to update their records.
You did not address the reporter at all. The reporter is also not a
regular user of GitHub, where this issue was raised.
Sorry for using this list for that purpose, I could not find a less
wrong place to inform the (hopefully) interested parties.
As others already told you, Mitre provides a form to request updates to
CVE entries at https://cve.mitre.org/cve/update_cve_entries.html.
Regards,
Bastian
--
Our way is peace.
-- Septimus, the Son Worshiper, "Bread and Circuses",
stardate 4040.7.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->