Pi Hole
CVE-2021-29449
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.
AnalysisAI
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.3), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.
Technical ContextAI
This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details. Affected products include: Pi-Hole. Version information: version 5.2.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.
Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)
An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex
Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today