Main Vulnerability Database Vulnerabilities #VU87908

#VU87908 External Control of File Name or Path in Pi-hole - CVE-2024-28247

Published: March 28, 2024 / Updated: April 5, 2024

Vulnerability identifier: #VU87908

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2024-28247

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Pi-hole

Software vendor:
Pi-hole

Description

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to application allows an attacker to control path of the files to read when accessing them via the "file://" handler. A remote attacker can send a specially crafted request and read arbitrary files on the system with root privileges.

Remediation

Install updates from vendor's website.

External links

https://github.com/pi-hole/pi-hole/security/advisories/GHSA-95g6-7q26-mp9x
https://github.com/pi-hole/pi-hole/commit/f3af03174e676c20e502a92ed7842159f2fdeb7e
https://github.com/pi-hole/pi-hole/releases/tag/v5.18