a fatal bug that can Unauthorized access to the system

[ROCKLEE-1998]

No description provided.

[dswarbrick]

I wouldn't consider this a "fatal bug", since blackbox_exporter can be secured with TLS and basic authentication: https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication

(and prior to this capability, most people who were concerned about security would run exporters behind a simple reverse proxy (such as nginx) with authentication configured)

[carnil]

Apparently CVE-2023-26735 was assigned for this issue (#1024), including #1025 and #1026 . But given the reasoning in #1024 (comment) should this CVE be rejected?

@ROCKLEE-1998 assuming you did request the CVEs can you followup with that to MITRE via the CVE webform?

[ajakk]

I've requested that MITRE reject CVE-2023-26735 as a duplicate of CVE-2020-16248.

@ROCKLEE-1998, why did you remove your descriptions?

[ROCKLEE-1998]

我已要求 MITRE 拒绝将CVE-2023-26735作为CVE-2020-16248的副本。

@ROCKLEE-1998，你为什么删除你的描述？
Because it is unethical to directly disclose the poc

[ajakk]

Well, the original contents of your descriptions are still available in the history. By doing this, you just reduce the value of the CVE to everyone and make it harder to parse the noise you've generated.

[ROCKLEE-1998]

Well, the original contents of your descriptions are still available in the history. By doing this, you just reduce the value of the CVE to everyone and make it harder to parse the noise you've generated.

I need to comply with the laws and regulations of my country regarding vulnerabilities