CVE-2020-16248

Name
CVE-2020-16248
Description
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List https://www.openwall.com/lists/oss-security/2020/08/08/3
Exploit https://github.com/prometheus/blackbox_exporter/issues/669
Mailing List https://www.openwall.com/lists/oss-security/2020/08/08/12
Vendor Advisory https://prometheus.io/docs/operating/security/#exporters
MISC https://seclists.org/oss-sec/2020/q3/94

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:prometheus:blackbox_exporter:*:*:*:*:*:*:*:* blackbox_exporter >= None <= 0.17.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
prometheus-blackbox-exporter edge-community 0.18.0-r0 None fixed
prometheus-blackbox-exporter 3.22-community 0.18.0-r0 None fixed
prometheus-blackbox-exporter 3.21-community 0.18.0-r0 None fixed
prometheus-blackbox-exporter 3.20-community 0.18.0-r0 None fixed
prometheus-blackbox-exporter 3.19-community 0.18.0-r0 None fixed
prometheus-blackbox-exporter 3.18-community 0.18.0-r0 None fixed