Main Vulnerability Database Vulnerabilities #VU87908

External Control of File Name or Path in Pi-hole - CVE-2024-28247

Published: March 28, 2024 / Updated: April 5, 2024

Vulnerability identifier: #VU87908

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2024-28247

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Pi-hole

Affected software:
Pi-hole

Detailed vulnerability description

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to application allows an attacker to control path of the files to read when accessing them via the "file://" handler. A remote attacker can send a specially crafted request and read arbitrary files on the system with root privileges.

How to mitigate CVE-2024-28247

Install updates from vendor's website.

Sources

https://github.com/pi-hole/pi-hole/security/advisories/GHSA-95g6-7q26-mp9x
https://github.com/pi-hole/pi-hole/commit/f3af03174e676c20e502a92ed7842159f2fdeb7e
https://github.com/pi-hole/pi-hole/releases/tag/v5.18

External Control of File Name or Path in Pi-hole - CVE-2024-28247

Detailed vulnerability description

How to mitigate CVE-2024-28247

Sources

Please verify you're human