On 08 Aug 11:16, Bartłomiej Płotka wrote: > Thanks for this work Richi, this is quite... interesting that someone might > mark core functionality as CVE.
That is not that crazy. You could "ddos" someone and hide your own IP address. > > Kind Regards, > Bartek > > On Sat, 8 Aug 2020 at 09:49, Richard Hartmann <[email protected]> > wrote: > > > Dear all, > > > > the Prometheus project[1] has received a public "vulnerability" > > report[2] against what the reporter called SSRF, but what is the core > > functionality of blackbox_exporter[3]: The ability to trigger network > > probes over the network to monitor a target's availability. The > > reporter stated that CVE-2020-16248 has been assigned. From context, > > it seems to be a paid assessment of our software for an unnamed client > > which increases motivation to get "results", in particular CVEs for > > "zero days" - which are then promptly reported publicly with an > > embargoed CVE. > > > > The reporter has not replied to our statement that this behaviour is > > core functionality. I could not find out which organization has > > reserved CVE-2020-16248 so I decided to send email to this list to > > inform the organization, enabling them to update their records. > > > > Sorry for using this list for that purpose, I could not find a less > > wrong place to inform the (hopefully) interested parties. > > > > > > Best, > > Richard > > > > [1] https://prometheus.io/ > > [2] https://github.com/prometheus/blackbox_exporter/issues/669 > > [3] https://github.com/prometheus/blackbox_exporter > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Prometheus Team" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/prometheus-team/CAD77%2BgR7G5zBc4pwQ86H-UuMk6QOgPcuK8R-hmmHqv8%2B8_%2Bdbw%40mail.gmail.com > > . > > > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Team" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-team/CAMssQwbxY-LY1FmuZUeLEp2etkj6poQc%2BMVzL-ah%3DXoF2vptSg%40mail.gmail.com. -- Julien Pivotto @roidelapluie -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20200808102052.GA376865%40oxygen.
