Command Injection Vulnerability in Pi-hole by Pi-hole Project
CVE-2020-12620

7.8HIGH

Key Information:

Vendor

Pi-hole

Status
Pi-hole
Vendor
CVE Published:
30 July 2020

What is CVE-2020-12620?

The Pi-hole software version 4.4 is susceptible to a command injection vulnerability due to improper handling of user input. An attacker with write access to the configuration file /etc/pihole/dns-servers.conf can exploit this weakness by injecting shell metacharacters following an IP address, leading to potential privilege escalation within the system. This issue arises from the lack of sufficient input sanitization. Users of Pi-hole 4.4 are advised to review their permissions and ensure that appropriate security measures are implemented.

References

https://github.com/pi-hole/pi-hole
x_refsource_MISC
https://pi-hole.net/
x_refsource_MISC
https://0xpanic.github.io/2020/07/21/Pihole.html
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.