PT-2020-13170 · Pi-Hole · Pi-Hole
Published
2020-07-30
·
Updated
2021-07-21
·
CVE-2020-12620
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pi-hole version 4.4
Description
The issue allows a user with write access to /etc/pihole/dns-servers.conf to escalate privileges through command injection by using shell metacharacters after an IP address.
Recommendations
For Pi-hole version 4.4, consider restricting write access to the /etc/pihole/dns-servers.conf file to prevent command injection attacks. As a temporary workaround, monitor the file for any unauthorized changes and limit the use of shell metacharacters in the file until a patch is available.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pi-Hole