Pi Hole
CVE-2020-8816
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
AnalysisAI
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. Affected products include: Pi-Hole.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.
Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)
An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex
Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today