Local Privilege Escalation Vulnerability in Pi-Hole by Pi-Hole Team
CVE-2020-14162

7.8HIGH

Key Information:

Vendor: Pi-hole
Status: Pi-hole
Vendor: CVE Published:; 30 July 2020

What is CVE-2020-14162?

A vulnerability in Pi-Hole affects version 5.0, allowing the local www-data user to execute the pihole core script with root privileges without a password. This misconfiguration can enable attackers to manipulate the system using shell metacharacters, particularly through the script’s setdns command. Safeguarding against such vulnerabilities is crucial to maintaining the integrity of your network.

References

https://docs.pi-hole.net/core/pihole-command/

x_refsource_MISC

https://0xpanic.github.io/2020/07/21/Pihole.html

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 30, 2020
Vulnerability Reserved
Jun 15, 2020

Pi-hole

What is CVE-2020-14162?

References

CVSS V3.1

Timeline