Main Vulnerability Database SB2024032851

SB2024032851 - Arbitrary file read in Pi-hole

Published: March 28, 2024 Updated: April 5, 2024

Security Bulletin ID SB2024032851

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) External Control of File Name or Path (CVE-ID: CVE-2024-28247)

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to application allows an attacker to control path of the files to read when accessing them via the "file://" handler. A remote attacker can send a specially crafted request and read arbitrary files on the system with root privileges.

Remediation

Install update from vendor's website.

References

https://github.com/pi-hole/pi-hole/security/advisories/GHSA-95g6-7q26-mp9x
https://github.com/pi-hole/pi-hole/commit/f3af03174e676c20e502a92ed7842159f2fdeb7e
https://github.com/pi-hole/pi-hole/releases/tag/v5.18