Dear all, the Prometheus project[1] has received a public "vulnerability" report[2] against what the reporter called SSRF, but what is the core functionality of blackbox_exporter[3]: The ability to trigger network probes over the network to monitor a target's availability. The reporter stated that CVE-2020-16248 has been assigned. From context, it seems to be a paid assessment of our software for an unnamed client which increases motivation to get "results", in particular CVEs for "zero days" - which are then promptly reported publicly with an embargoed CVE.
The reporter has not replied to our statement that this behaviour is core functionality. I could not find out which organization has reserved CVE-2020-16248 so I decided to send email to this list to inform the organization, enabling them to update their records. Sorry for using this list for that purpose, I could not find a less wrong place to inform the (hopefully) interested parties. Best, Richard [1] https://prometheus.io/ [2] https://github.com/prometheus/blackbox_exporter/issues/669 [3] https://github.com/prometheus/blackbox_exporter -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAD77%2BgR7G5zBc4pwQ86H-UuMk6QOgPcuK8R-hmmHqv8%2B8_%2Bdbw%40mail.gmail.com.
