Server-Side Request Forgery Vulnerability in Prometheus Blackbox Exporter
CVE-2020-16248

5.8MEDIUM

Key Information:

Vendor

Prometheus

Status
Blackbox Exporter
Vendor
CVE Published:
9 August 2020

What is CVE-2020-16248?

The Prometheus Blackbox Exporter, up to version 0.17.0, is susceptible to a Server-Side Request Forgery vulnerability that permits attackers to leverage the /probe?target= endpoint in a manner that may expose sensitive information or interact with internal systems. This behavior has raised discussions about its intended functionality versus a misconfiguration vulnerability, highlighting the need for secure configuration practices and awareness of potential risks when utilizing the Blackbox Exporter.

References

https://github.com/prometheus/blackbox_exporter/issues/669
x_refsource_MISC
https://prometheus.io/docs/operating/security/#exporters
x_refsource_MISC
https://www.openwall.com/lists/oss-security/2020/08/08/3
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.