Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF.

[charles2j]

SSRF Vulnerablity
During the company's penetration test, it was found that the Blackbox

Exporter service was opened on the Internet, which led to the ssrf
detection of the company's internal network

Set up the Blackbox Exporter test environment, and then visit:

http://123.123.123.123:9115/probe?target=hadoop.corp.xxxxxx.com&module=http_2xx&debug=true

Blackbox Exporter logs service jump will be displayed
http://hadoop.corp.xxxxxx.com/cluster

As long as the target is replaced, the service of detecting internal
service weakness can be realized

Also supports other protocols

Blackbox Exporter is a service to test the state of network
connectivity. If it is configured incorrectly, SSRF can detect weak
services and applications in the internal network.

CVE-2020-16248

[brian-brazil]

Thanks for you report, the procedure for reporting security issues can be found at https://prometheus.io/docs/operating/security/#security-model

This is not a security vulnerability, it is the entire purpose of this exporter. The risks of this are already called out in our security model at https://prometheus.io/docs/operating/security/#exporters.

[brian-brazil]

Given that this is expected behaviour, and no further details have been provided, I'm going to close this off.

If you believe you find a vulnerability, the procedure for reporting it is at https://prometheus.io/docs/operating/security/#security-model

[RichiH]

Addendum: I could not find out through which entity you reserved CVE-2020-16248, but I would ask you to have it marked as invalid.

[charles2j]

https://prometheus.io/docs/operating/security/#security-model，
It seems that there is no clear description of the security risks of ssrf, and users need to be reminded that Blackbox Exporter only allows access to the same level network, and needs to prohibit external networks from accessing its web services, otherwise it will cause ssrf to detect the security problems of weak services on the internal network.

[charles2j]

Addendum: I could not find out through which entity you reserved CVE-2020-16248, but I would ask you to have it marked as invalid.

CVE is an international vulnerability evaluation unit. The CVE-2020-16248 vulnerability has not been effectively handled and security configuration instructions, so it is not disclosed at present, I am just the discoverer of the problem, there is no way to close cveid

[charles2j]

Already made public
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16248

[brian-brazil]

It seems that there is no clear description of the security risks of ssrf,

The text says "Thus anyone with HTTP access to these exporters can make them send requests to arbitrary endpoints.", which seems clear to me.

The security model page describes our security model, with some pointers to what may be non-obvious implications of it. It is not intended to be a detailed guide into web application security, nor to explain every possible mitigation that might apply. Nor should it be, as that would obscure the information that page is intended to present.

If you've further questions about why this is not a vulnerability, I'd suggest taking them to the prometheus-developers mailing list.

[RichiH]

there is no way to close cveid

While that's technically correct, the issue filed with a CVE ID can be marked as invalid by the reporter, which will mark the CVE as invalid. That's what we asked you to do. If you're not the reporter, I would appreciate being put into contact with them.