CVE-2023-23614

Name of the Vulnerable Software and Affected Versions Pi-hole versions 4.0 through 5.18.2

Description The issue concerns the improper use of the admin WEBPASSWORD hash as a "Remember me for 7 days" cookie value in Pi-hole's Web interface. This allows an attacker to "pass the hash" and login or reuse a theoretically expired "remember me" cookie. The cookie's value remains valid as long as the admin password doesn't change, and if leaked or compromised, it could be used indefinitely until the admin password is changed. An attacker who obtains the password hash via another attack vector could use it to login as the admin without needing to crack the hash. The hash is exposed over the network and in the browser.

Recommendations For versions prior to 5.18.3, update to version 5.18.3 to resolve the issue. As a temporary workaround, consider changing the admin password regularly to minimize the risk of exploitation. Restrict access to the Web interface and avoid using the "Remember me for 7 days" feature until the issue is resolved.