Lucene search

MitreCVE-2020-16248

HistoryAug 09, 2020 - 5:15 p.m.

CVE-2020-16248

2020-08-0917:15:11

CWE-918

mitre

web.nvd.nist.gov

cve-2020-16248

prometheus

blackbox exporter

ssrf

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

49.9%

JSON

Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability

Affected configurations

Nvd

Node

prometheusblackbox_exporterRange≤0.17.0

VendorProductVersionCPE
prometheusblackbox_exporter*cpe:2.3:a:prometheus:blackbox_exporter:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
prometheus	blackbox_exporter	*	cpe:2.3:a:prometheus:blackbox_exporter::::::::

References

github.com/prometheus/blackbox_exporter/issues/669

prometheus.io/docs/operating/security/#exporters

seclists.org/oss-sec/2020/q3/94

www.openwall.com/lists/oss-security/2020/08/08/12

www.openwall.com/lists/oss-security/2020/08/08/3

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

49.9%

JSON

Related for CVE-2020-16248