Thanks for this work Richi, this is quite... interesting that someone might mark core functionality as CVE.
Kind Regards, Bartek On Sat, 8 Aug 2020 at 09:49, Richard Hartmann <[email protected]> wrote: > Dear all, > > the Prometheus project[1] has received a public "vulnerability" > report[2] against what the reporter called SSRF, but what is the core > functionality of blackbox_exporter[3]: The ability to trigger network > probes over the network to monitor a target's availability. The > reporter stated that CVE-2020-16248 has been assigned. From context, > it seems to be a paid assessment of our software for an unnamed client > which increases motivation to get "results", in particular CVEs for > "zero days" - which are then promptly reported publicly with an > embargoed CVE. > > The reporter has not replied to our statement that this behaviour is > core functionality. I could not find out which organization has > reserved CVE-2020-16248 so I decided to send email to this list to > inform the organization, enabling them to update their records. > > Sorry for using this list for that purpose, I could not find a less > wrong place to inform the (hopefully) interested parties. > > > Best, > Richard > > [1] https://prometheus.io/ > [2] https://github.com/prometheus/blackbox_exporter/issues/669 > [3] https://github.com/prometheus/blackbox_exporter > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Team" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-team/CAD77%2BgR7G5zBc4pwQ86H-UuMk6QOgPcuK8R-hmmHqv8%2B8_%2Bdbw%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAMssQwbxY-LY1FmuZUeLEp2etkj6poQc%2BMVzL-ah%3DXoF2vptSg%40mail.gmail.com.
