Code Injection Vulnerability in Pi-hole DNS Solution from Pi-hole
CVE-2020-14971

7.8HIGH

Key Information:

Vendor

Pi-hole

Status
Pi-hole
Vendor
CVE Published:
23 June 2020

What is CVE-2020-14971?

This vulnerability in Pi-hole, specifically affecting version 5.0, allows an attacker to perform code injection through the Static DHCP Leases section by manipulating Teleporter backup files. The process involves requesting a partial backup via teleporter.php, modifying the necessary host parameters in the dnsmasq.d files within the backup, and then re-uploading the altered .tar.gz archive. Such exploitation can lead to unauthorized code execution, jeopardizing the integrity and security of the Pi-hole DNS solution.

References

https://blog.telspace.co.za/2020/06/pi-hole-code-injectio...
x_refsource_MISC
https://github.com/pi-hole/AdminLTE/pull/1443
x_refsource_CONFIRM
https://github.com/pi-hole/AdminLTE/commit/c949516ee15fa6...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.