CVE-2023-26735

2023-04-2600:15:09

Debian Security Bug Tracker

security-tracker.debian.org

blackbox_exporter

v0.23.0

access control

intranet ports

services

authentication

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.5%

JSON

blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.

OSVersionArchitecturePackageVersionFilename
Debian12allprometheus-blackbox-exporter<= 0.23.0-4prometheus-blackbox-exporter_0.23.0-4_all.deb
Debian11allprometheus-blackbox-exporter<= 0.18.0+ds-3prometheus-blackbox-exporter_0.18.0+ds-3_all.deb
Debian999allprometheus-blackbox-exporter<= 0.25.0-1prometheus-blackbox-exporter_0.25.0-1_all.deb
Debian13allprometheus-blackbox-exporter<= 0.25.0-1prometheus-blackbox-exporter_0.25.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	prometheus-blackbox-exporter	<= 0.23.0-4	prometheus-blackbox-exporter_0.23.0-4_all.deb
Debian	11	all	prometheus-blackbox-exporter	<= 0.18.0+ds-3	prometheus-blackbox-exporter_0.18.0+ds-3_all.deb
Debian	999	all	prometheus-blackbox-exporter	<= 0.25.0-1	prometheus-blackbox-exporter_0.25.0-1_all.deb
Debian	13	all	prometheus-blackbox-exporter	<= 0.25.0-1	prometheus-blackbox-exporter_0.25.0-1_all.deb