Vulnerabilities > CVE-2023-26735 - Server-Side Request Forgery (SSRF) vulnerability in Prometheus Blackbox Exporter 0.23.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

prometheus

CWE-918

NVD

Published: 2023-04-26

Updated: 2024-04-11

Summary

blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.

Vulnerable Configurations

Part	Description	Count
Application	Prometheus Prometheus Blackbox Exporter 0.23.0	1

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

http://blackboxexporter.com
https://github.com/prometheus/blackbox_exporter/issues/1025
https://github.com/prometheus/blackbox_exporter/issues/1024
http://prometheus.com
https://github.com/prometheus/blackbox_exporter/issues/1026
https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication