CVE-2023-26735

** DISPUTED ** blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://blackboxexporter.com	Broken Link
http://prometheus.com	Broken Link
https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication	Product
https://github.com/prometheus/blackbox_exporter/issues/1024	Issue Tracking
https://github.com/prometheus/blackbox_exporter/issues/1025	Issue Tracking
https://github.com/prometheus/blackbox_exporter/issues/1026	Issue Tracking
http://blackboxexporter.com	Broken Link
http://prometheus.com	Broken Link
https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication	Product
https://github.com/prometheus/blackbox_exporter/issues/1024	Issue Tracking
https://github.com/prometheus/blackbox_exporter/issues/1025	Issue Tracking
https://github.com/prometheus/blackbox_exporter/issues/1026	Issue Tracking
https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:prometheus:blackbox_exporter:0.23.0:*:*:*:*:*:*:*

History

04 Feb 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication - Product~~	() https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication - Product

21 Nov 2024, 07:51

Type	Values Removed	Values Added
References	~~() http://blackboxexporter.com - Broken Link~~	() http://blackboxexporter.com - Broken Link
References	~~() http://prometheus.com - Broken Link~~	() http://prometheus.com - Broken Link
References	~~() https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication - Product~~	() https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication - Product
References	~~() https://github.com/prometheus/blackbox_exporter/issues/1024 - Issue Tracking~~	() https://github.com/prometheus/blackbox_exporter/issues/1024 - Issue Tracking
References	~~() https://github.com/prometheus/blackbox_exporter/issues/1025 - Issue Tracking~~	() https://github.com/prometheus/blackbox_exporter/issues/1025 - Issue Tracking
References	~~() https://github.com/prometheus/blackbox_exporter/issues/1026 - Issue Tracking~~	() https://github.com/prometheus/blackbox_exporter/issues/1026 - Issue Tracking

08 May 2023, 14:26

Type	Values Removed	Values Added
CWE		CWE-918
CPE		cpe:2.3:a:prometheus:blackbox_exporter:0.23.0:::::::*
References	~~(MISC) https://github.com/prometheus/blackbox_exporter/issues/1024 -~~	(MISC) https://github.com/prometheus/blackbox_exporter/issues/1024 - Issue Tracking
References	~~(MISC) https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication -~~	(MISC) https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication - Product
References	~~(MISC) http://prometheus.com -~~	(MISC) http://prometheus.com - Broken Link
References	~~(MISC) http://blackboxexporter.com -~~	(MISC) http://blackboxexporter.com - Broken Link
References	~~(MISC) https://github.com/prometheus/blackbox_exporter/issues/1026 -~~	(MISC) https://github.com/prometheus/blackbox_exporter/issues/1026 - Issue Tracking
References	~~(MISC) https://github.com/prometheus/blackbox_exporter/issues/1025 -~~	(MISC) https://github.com/prometheus/blackbox_exporter/issues/1025 - Issue Tracking
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

28 Apr 2023, 13:15

Type	Values Removed	Values Added
References		(MISC) https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication -
Summary	blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources.	DISPUTED blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.

26 Apr 2023, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-04-26 00:15

Updated : 2025-02-04 16:15

NVD link : CVE-2023-26735

Mitre link : CVE-2023-26735

CVE.ORG link : CVE-2023-26735

JSON object : View

Products Affected

prometheus

blackbox_exporter

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2023-26735", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-04-26T00:15:09.227", "references": [{"url": "http://blackboxexporter.com", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "http://prometheus.com", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/prometheus/blackbox_exporter/issues/1024", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/prometheus/blackbox_exporter/issues/1025", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/prometheus/blackbox_exporter/issues/1026", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "http://blackboxexporter.com", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://prometheus.com", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/prometheus/blackbox_exporter/issues/1024", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/prometheus/blackbox_exporter/issues/1025", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/prometheus/blackbox_exporter/issues/1026", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication", "tags": ["Product"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured."}], "lastModified": "2025-02-04T16:15:35.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:prometheus:blackbox_exporter:0.23.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF41B4A7-0D76-435B-BD57-3CC09A4900C0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

7.5 /10