Improper session handling of "Remember me for 7 days" functionality
CVE-2023-23614

8.8HIGH

Key Information:

Vendor: Pi-hole
Status: Adminlte
Vendor: CVE Published:; 26 January 2023

What is CVE-2023-23614?

The Pi-hole web interface, derived from AdminLTE, is susceptible to an Insufficient Session Expiration vulnerability. This issue arises from the improper utilization of the admin WEBPASSWORD hash, which is stored as a cookie value under the 'Remember me for 7 days' feature. Attackers can exploit this vulnerability to perform a hash pass, granting unauthorized access without cracking the actual password. Although the cookie is designed to expire after 7 days, as long as the admin password remains unchanged, the associated hash remains valid. This security flaw allows attackers with access to the password hash through other means, such as path traversal vulnerabilities, to gain admin login access easily. The hash is transmitted over the network and stored in the browser, further increasing the risk of exploitation. This vulnerability was addressed in version 5.18.3.

Affected Version(s)

AdminLTE <= 4.0, >= 5.18.3

References

https://github.com/pi-hole/AdminLTE/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Jan 16, 2023